Panic due to improper verification of cryptographic signatures in golang.org/x/crypto/ssh
Overview
Source
ID
GO-2020-0012
Aliases
CVE-2020-9283
GHSA-ffhg-7mh4-33c4
Affected package
Description
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.
Summary
25.37k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
4.76k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
1.89%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.0.0-20200220183623-bac4c82f6975
Patched/Unaffected
Affected