CVE-2019-17596

CWE-436 — Interpretation Conflict CWE-295 — Improper Certificate Validation10 documents7 sources

Severity

7.5HIGH

EPSS

2.3%

top 15.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Arista Cloudvision Portal Arista EOS +8 more

Timeline

PublishedOct 24

Latest updateMay 24

Description

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages10 packages

▶NVDredhat/enterprise_linux_server8.1

▶Gostdlib1.13.0-0 — 1.13.2+1

▶NVDgolang/go1.12 — 1.12.11+1

▶Ubuntugolang-1.13< 1.13.3-1ubuntu1

▶NVDarista/eos4.23.1f

Also affects: Debian Linux 10.0, 9.0, Fedora 30, 31, Enterprise Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Panic on invalid DSA public keys in crypto/dsa↗2022-05-24

▶

GHSA

GHSA-gcr4-wcqh-3624: Go before 1↗2022-05-24

▶

CVEList

CVE-2019-17596: Go before 1↗2019-10-24

▶

OSV

CVE-2019-17596: Go before 1↗2019-10-24

▶

📋Vendor Advisories

Red Hat

golang: invalid public key causes panic in dsa.Verify↗2019-10-17

▶

Microsoft

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios such as traffic from a client to↗2019-10-08

▶

💬Community

Bugzilla

CVE-2019-17596 golang: invalid public key causes panic in dsa.Verify [epel-all]↗2019-10-18

▶

Bugzilla

CVE-2019-17596 golang: invalid public key causes panic in dsa.Verify↗2019-10-18

▶

Bugzilla

CVE-2019-17596 golang: invalid public key causes panic in dsa.Verify [fedora-all]↗2019-10-18

▶