CVE-2020-7919 — Improper Certificate Validation in X Crypto

CWE-295 — Improper Certificate Validation CWE-190 — Integer Overflow or Wraparound10 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 29.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Helm Helm Golang.org X Crypto Helm.sh Helm V3 +3 more

Timeline

PublishedMar 16

Latest updateJul 6

Description

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Gogolang.org/x_crypto< 0.0.0-20200124225646-8b5121be2f68

▶NVDgolang/go1.12 — 1.12.6+1

▶Gohelm.sh/helm_v33.0.0 — 3.1.0

▶Gogithub.com/helm_helm2.0.0 — 2.16.8

Also affects: Debian Linux 10.0, Fedora 31

🔴Vulnerability Details

OSV

Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte↗2022-07-06

▶

OSV

Helm uses crypto package vulnerable to panic from malformed X.509 certificate↗2021-06-23

▶

GHSA

Helm uses crypto package vulnerable to panic from malformed X.509 certificate↗2021-06-23

▶

CVEList

CVE-2020-7919: Go before 1↗2020-03-16

▶

OSV

CVE-2020-7919: Go before 1↗2020-03-16

▶

📋Vendor Advisories

Red Hat

golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service↗2020-01-28

▶

💬Community

Bugzilla

CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [fedora-all]↗2020-02-27

▶

Bugzilla

CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service↗2020-02-27

▶

Bugzilla

CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [epel-all]↗2020-02-27

▶