CVE-2015-8618 — Sensitive Information Exposure in GO

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 27.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Opensuse Leap

Timeline

PublishedJan 27

Latest updateMay 14

Description

The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgolang/go1.5, 1.5.1, 1.5.2+2

▶NVDopensuse/leap42.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f7x9-6qwf-8m25: The Int↗2022-05-14

▶

OSV

Incorrect calculation affecting RSA computations in math/big↗2022-01-05

▶

CVEList

CVE-2015-8618: The Int↗2016-01-27

▶

📋Vendor Advisories

Red Hat

golang: Carry propagation in Int.Exp Montgomery code in math/big library↗2015-12-21

▶

💬Community

Bugzilla

CVE-2015-8618 golang: Carry propagation in Int.Exp Montgomery code in math/big library↗2015-12-21

▶

Bugzilla

CVE-2015-8618 golang: Carry propagation in Int.Exp Montgomery code in math/big library [epel-6]↗2015-12-21

▶

Bugzilla

CVE-2015-8618 golang: Carry propagation in Int.Exp Montgomery code in math/big library [fedora-all]↗2015-12-21

▶