github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f: 3 vulnerabilities (highest severity is: 7.5)

[mend-for-github-com]

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-27191	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Direct	N/A	❌
CVE-2020-29652	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Direct	v0.0.0-20201216223049-8b5274cf687f	❌
CVE-2021-43565	High	7.5	github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f	Direct	N/A	❌

Details

CVE-2022-27191

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2020-29652

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Publish Date: 2020-12-17

URL: CVE-2020-29652

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1

Release Date: 2020-12-17

Fix Resolution: v0.0.0-20201216223049-8b5274cf687f

CVE-2021-43565

Vulnerable Library - github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• ❌ github.com/golang/crypto-baeed622b8d86045ff442b324772b0ad306a2b3f (Vulnerable Library)

Found in HEAD commit: b64ae757f88959311bae621aa93906de93a064b3

Found in base branch: main

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.