CVE-2022-23806 — Unchecked Return Value in GO

CWE-252 — Unchecked Return Value8 documents7 sources

Severity

9.1CRITICALNVD

EPSS

0.0%

top 88.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Debian Linux

Timeline

PublishedFeb 11

Latest updateMay 23

Description

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶NVDgolang/go1.17.0 — 1.17.7+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

OSV

Incorrect computation for some invalid field elements in crypto/elliptic↗2022-05-23

▶

GHSA

GHSA-8c83-vp4v-h7fq: Curve↗2022-02-12

▶

CVEList

CVE-2022-23806: Curve↗2022-02-11

▶

OSV

CVE-2022-23806: Curve↗2022-02-11

▶

📋Vendor Advisories

Red Hat

golang: crypto/elliptic: IsOnCurve returns true for invalid field elements↗2022-02-11

▶

Microsoft

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.↗2022-02-08

▶

Debian

CVE-2022-23806: golang-1.15 - Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7...↗2022

▶