CVE-2020-7919
published 2020-03-16CVE-2020-7919: Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.58%
83.3th percentile
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| github.com | helm_helm | >= 2.0.0 < 2.16.8 | 2.16.8 |
| golang.org | x_crypto | >= 0 < 0.0.0-20200124225646-8b5121be2f68 | 0.0.0-20200124225646-8b5121be2f68 |
| golang | go | >= 1.12 < 1.12.6 | 1.12.6 |
| golang | go | >= 1.13 < 1.13.7 | 1.13.7 |
| helm.sh | helm_v3 | >= 3.0.0 < 3.1.0 | 3.1.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
vendor_redhat·2020-01-28·CVSS 7.5
CVE-2020-7919 [HIGH] CWE-190 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
An integer overflow vulnerability was found in the Go crypto/x509 and golang.org/x/crypto/cryptobyte libraries on 32-bit architectures. A remote attacker could exploit this by supplying a crafted x.509 certificate, or other ASN.1 structure, as either a client or server to crash vulnerable Go applications.
Statement: Below products are only supported on 64bit architectures and are therefore not affected by this flaw:
* OpenShift Container Platform
* OpenShift Service Mesh
* Red Hat
OSV
Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte
osv·2022-07-06
CVE-2020-7919 Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte
Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
OSV
Helm uses crypto package vulnerable to panic from malformed X.509 certificate
osv·2021-06-23·CVSS 7.5
CVE-2020-7919 [HIGH] Helm uses crypto package vulnerable to panic from malformed X.509 certificate
Helm uses crypto package vulnerable to panic from malformed X.509 certificate
The Helm core maintainers have identified a high severity security vulnerability in Go's `crypto` package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.
Thanks to @ravin9249 for identifying the vulnerability.
### Impact
Go before 1.12.16 and 1.13.x before 1.13.7 (and the `crypto/cryptobyte` package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.
### Patches
A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.
### Workarounds
No workaround is avai
GHSA
Helm uses crypto package vulnerable to panic from malformed X.509 certificate
ghsa·2021-06-23·CVSS 7.5
CVE-2020-7919 [HIGH] CWE-295 Helm uses crypto package vulnerable to panic from malformed X.509 certificate
Helm uses crypto package vulnerable to panic from malformed X.509 certificate
The Helm core maintainers have identified a high severity security vulnerability in Go's `crypto` package affecting all versions prior to Helm 2.16.8 and Helm 3.1.0.
Thanks to @ravin9249 for identifying the vulnerability.
### Impact
Go before 1.12.16 and 1.13.x before 1.13.7 (and the `crypto/cryptobyte` package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.
### Patches
A patch to compile Helm against Go 1.14.4 has been provided for Helm 2 and is available in Helm 2.16.8. Helm 3.1.0 and newer are compiled against Go 1.13.7+.
### Workarounds
No workaround is avai
OSV
CVE-2020-7919: Go before 1
osv·2020-03-16·CVSS 7.5
CVE-2020-7919 [HIGH] CVE-2020-7919: Go before 1
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [fedora-all]
bugzilla·2020-02-27·CVSS 7.5
CVE-2020-7919 [HIGH] CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [fedora-all]
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NO
Bugzilla
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
bugzilla·2020-02-27·CVSS 7.5
CVE-2020-7919 [HIGH] CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.
Reference:
https://github.com/golang/go/issues/36837
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-all [bug 1808042]
Affects: fedora-all [bug 1808044]
---
The current version of ServiceMesh only supports x86_64 architec
Bugzilla
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [epel-all]
bugzilla·2020-02-27·CVSS 7.5
CVE-2020-7919 [HIGH] CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [epel-all]
CVE-2020-7919 golang: Integer overflow on 32bit architectures via crafted certificate allows for denial of service [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
https://groups.google.com/forum/#%21forum/golang-announcehttps://groups.google.com/forum/#%21topic/golang-announce/-sdUB4VEQkAhttps://groups.google.com/forum/#%21topic/golang-announce/Hsw4mHYc470https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC/https://security.netapp.com/advisory/ntap-20200327-0001/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://groups.google.com/forum/#%21forum/golang-announcehttps://groups.google.com/forum/#%21topic/golang-announce/-sdUB4VEQkAhttps://groups.google.com/forum/#%21topic/golang-announce/Hsw4mHYc470https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC/https://security.netapp.com/advisory/ntap-20200327-0001/https://www.debian.org/security/2021/dsa-4848https://www.oracle.com/security-alerts/cpuApr2021.html
2020-03-16
Published