CVE-2018-16875 — Improper Input Validation in GO

CWE-20 — Improper Input Validation CWE-295 — Improper Certificate Validation10 documents6 sources

Severity

7.5HIGHNVD

CNA5.9

EPSS

0.9%

top 24.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Opensuse Leap

Timeline

PublishedDec 14

Latest updateJul 15

Description

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgolang/go1.11.0 — 1.11.3+1

▶NVDopensuse/leap42.3

🔴Vulnerability Details

OSV

Denial of service in chain verification in crypto/x509↗2022-07-15

▶

GHSA

GHSA-8gx8-4ch8-vgp8: The crypto/x509 package of Go before 1↗2022-05-14

▶

CVEList

CVE-2018-16875: The crypto/x509 package of Go before 1↗2018-12-14

▶

OSV

CVE-2018-16875: The crypto/x509 package of Go before 1↗2018-12-14

▶

📋Vendor Advisories

Red Hat

golang: crypto/x509 allows for denial of service via crafted TLS client certificate↗2018-12-13

▶

💬Community

Bugzilla

CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang: various flaws [epel-all]↗2019-01-08

▶

Bugzilla

CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang:1.10/golang: various flaws [fedora-all]↗2019-01-04

▶

Bugzilla

CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificate [fedora-all]↗2018-12-14

▶

Bugzilla

CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificate↗2018-12-10

▶