CVE-2020-28362
published 2020-11-18CVE-2020-28362: Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.81%
88.7th percentile
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.15 1.15.5-1 (bullseye) | golang-1.15 1.15.5-1 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | ethereum_go-ethereum | >= 0 < 1.9.24 | 1.9.24 |
| golang | go | < 1.14.12 | 1.14.12 |
| golang | go | >= 1.15 < 1.15.5 | 1.15.5 |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.11.0-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-2_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum
osv·2024-08-21·CVSS 7.5
CVE-2020-28362 [HIGH] Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum
Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum
Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum
GHSA
GHSA-gff4-9rfx-4pcw: Go before 1
ghsa_unreviewed·2022-05-24
CVE-2020-28362 [HIGH] CWE-295 GHSA-gff4-9rfx-4pcw: Go before 1
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
GHSA
Denial of service in go-ethereum due to CVE-2020-28362
ghsa·2021-06-29·CVSS 7.5
CVE-2020-28362 [HIGH] Denial of service in go-ethereum due to CVE-2020-28362
Denial of service in go-ethereum due to CVE-2020-28362
### Impact
Versions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’.
We recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries distributed via one of our official channels, we’re going to release `v1.9.24` ourselves built with Go `1.15.5`.
### Patches
This is not an issue in go-ethereum, rebuilding an older version with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability.
### Workarounds
Rebuilding with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability.
### Reference
OSV
Denial of service in go-ethereum due to CVE-2020-28362
osv·2021-06-29·CVSS 7.5
CVE-2020-28362 [HIGH] Denial of service in go-ethereum due to CVE-2020-28362
Denial of service in go-ethereum due to CVE-2020-28362
### Impact
Versions of Geth built with Go `<1.15.5` or `<1.14.12` are most likely affected by a critical DoS-related security vulnerability. The golang team has registered the underlying flaw as ‘CVE-2020-28362’.
We recommend all users to rebuild (ideally `v1.9.24`) with Go `1.15.5` or `1.14.12`, to avoid node crashes. Alternatively, if you are running binaries distributed via one of our official channels, we’re going to release `v1.9.24` ourselves built with Go `1.15.5`.
### Patches
This is not an issue in go-ethereum, rebuilding an older version with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability.
### Workarounds
Rebuilding with Go `1.15.5` or `1.14.12` will suffice to address the vulnerability.
### Reference
OSV
Panic during division of very large numbers in math/big
osv·2021-04-14
CVE-2020-28362 Panic during division of very large numbers in math/big
Panic during division of very large numbers in math/big
A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.
OSV
CVE-2020-28362: Go before 1
osv·2020-11-18·CVSS 7.5
CVE-2020-28362 [HIGH] CVE-2020-28362: Go before 1
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Red Hat
golang: math/big: panic during recursive division of very large numbers
vendor_redhat·2020-11-12·CVSS 7.5
CVE-2020-28362 [HIGH] CWE-295 golang: math/big: panic during recursive division of very large numbers
golang: math/big: panic during recursive division of very large numbers
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
A flaw was found in the math/big package of Go's standard library that causes a denial of service. Applications written in Go that use math/big via cryptographic packages, including crypto/rsa and crypto/x509, are vulnerable and can potentially cause panic via a crafted certificate chain. The highest threat from this vulnerability is to system availability.
Statement: OpenShift ServiceMesh (OSSM) 1.1 is Out Of Support Scope (OOSS) for Moderate and Low impact vulnerabilities because it is now in the Maintenance Phase of the support.
Openshift Virtualization 1 (formerly Container Native Virtualization) is Out Of Support Scope (OOSS) for Moderate and
Microsoft
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
vendor_msrc·2020-11-10·CVSS 7.5
CVE-2020-28362 [HIGH] CWE-295 Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Debian
CVE-2020-28362: golang-1.15 - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
vendor_debian·2020·CVSS 7.5
CVE-2020-28362 [HIGH] CVE-2020-28362: golang-1.15 - Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Scope: local
bullseye: resolved (fixed in 1.15.5-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMIhttps://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd%40%3Cissues.trafficcontrol.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/https://security.netapp.com/advisory/ntap-20201202-0004/https://www.arista.com/en/support/advisories-notices/security-advisories/12166-security-advisory-62https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMIhttps://lists.apache.org/thread.html/rd02e75766cd333a0df417588460f5e4477060633000bfe94955851fd%40%3Cissues.trafficcontrol.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2W4COUPL3YVTZ6RTEIT6LPBDJUFF3VSP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3ZSHGNTJWCWYAKY5OLZS2XQQYHSXSUO/https://security.netapp.com/advisory/ntap-20201202-0004/https://www.arista.com/en/support/advisories-notices/security-advisories/12166-security-advisory-62
2020-11-18
Published