Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:42032
HistoryAug 04, 2023 - 3:29 a.m.

Denial Of Service (DoS)

2023-08-0403:29:08
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
16
github.com/golang/go
vulnerability
handshake_client.go
dos
rsa key size
fixed
8192 bits
software

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

31.3%

github.com/golang/go is vulnerable to Denial Of Service (DoS). The vulnerability exists because handshake_client.go does not set a max RSA key size, which can lead to extremely large RSA keys in certificate chains causing a client to expend significant CPU time to verify signatures. The fix sets the maximum RSA key to 8192 bits.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

31.3%