CVE-2020-9283
published 2020-02-20CVE-2020-9283: golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A…
PriorityP358high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
21.05%
97.3th percentile
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | golang-go.crypto | < golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bookworm) | golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bookworm) |
| golang.org | x_crypto | >= 0 < 0.0.0-20200220183623-bac4c82f6975 | 0.0.0-20200220183623-bac4c82f6975 |
| golang | package_ssh | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Red Hat
golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
vendor_redhat·2020-02-21·CVSS 7.5
CVE-2020-9283 [HIGH] CWE-130 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
A denial of service vulnerability was found in the SSH package of the golang.org/x/crypto library. An attacker could exploit this flaw by supplying crafted SSH ed25519 keys to cause a crash in applications that use this package as either an SSH client or server.
Statement: OpenShift Container Platform uses the vulnerable library in a number of components but strictly as an SSH client. The severity of this vulnerability is reduced for clients as it requi
Debian
CVE-2020-9283: golang-go.crypto - golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a pa...
vendor_debian·2020·CVSS 7.5
CVE-2020-9283 [HIGH] CVE-2020-9283: golang-go.crypto - golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a pa...
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
Scope: local
bookworm: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
bullseye: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
forky: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
sid: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
trixie: resolved (fixed in 1:0.0~git20200221.2aa609c-1)
OSV
Improper Verification of Cryptographic Signature in golang.org/x/crypto
osv·2021-05-18
CVE-2020-9283 [HIGH] Improper Verification of Cryptographic Signature in golang.org/x/crypto
Improper Verification of Cryptographic Signature in golang.org/x/crypto
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
GHSA
Improper Verification of Cryptographic Signature in golang.org/x/crypto
ghsa·2021-05-18
CVE-2020-9283 [HIGH] CWE-347 Improper Verification of Cryptographic Signature in golang.org/x/crypto
Improper Verification of Cryptographic Signature in golang.org/x/crypto
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
OSV
Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh
osv·2021-04-14
CVE-2020-9283 Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh
Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh
An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.
OSV
CVE-2020-9283: golang
osv·2020-02-20·CVSS 7.5
CVE-2020-9283 [HIGH] CVE-2020-9283: golang
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
No detection rules found.
HackerOne
SSH server due to Improper Signature Verification
hackerone·2021-08-30·CVSS 7.5
[HIGH] SSH server due to Improper Signature Verification
SSH server due to Improper Signature Verification
I found that you are using golang.org/x/[email protected] which has a vulnerability that was fixed in this version
golang.org/x/[email protected] but that vulnerability is:
golang.org/x/crypto/ssh is an SSH client and server
Version v0.0.0-20200220183623-bac4c82f6975 of golang.org/x/crypto fixes a vulnerability in the golang.org/x/crypto/ssh package which allowed peers to cause a panic in SSH servers that accept public keys and in any SSH client.
You can check all of the info here with this CVE: CVE-2020-9283.
## Impact
An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. Clients can deliver suc
Bugzilla
CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
bugzilla·2020-02-19·CVSS 7.5
CVE-2020-9283 [HIGH] CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.
Reference:
https://groups.google.com/forum/#!topic/kubernetes-security-discuss/s15RxeNdBLc
Discussion:
External Reference:
https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY
---
Upstream Fix:
https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
---
Statement:
OpenShift Container Platform uses the vulnera
http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/3L45YRc91SYhttps://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00031.htmlhttps://lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlhttp://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.htmlhttps://groups.google.com/forum/#%21topic/golang-announce/3L45YRc91SYhttps://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00031.htmlhttps://lists.debian.org/debian-lts-announce/2023/06/msg00017.html
2020-02-20
Published