CVE-2019-6486 — Allocation of Resources Without Limits or Throttling in GO
Severity
8.2HIGHNVD
EPSS
3.0%
top 13.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 24
Latest updateMay 24
Description
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2
Affected Packages2 packages
Also affects: Debian Linux 8.0, 9.0
Patches
🔴Vulnerability Details
4📋Vendor Advisories
2Red Hat▶
golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service↗2019-01-24
Microsoft▶
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recover↗2019-01-08
💬Community
6Bugzilla▶
CVE-2019-6486 golang:1.10/golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service [fedora-all]↗2020-04-22
Bugzilla▶
CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service [fedora-all]↗2019-01-31
Bugzilla▶
CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service [fedora-all]↗2019-01-24
Bugzilla▶
CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service↗2019-01-24
Bugzilla▶
CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service [fedora-all]↗2019-01-24