Panic on crafted authentication request message in golang.org/x/crypto/ssh

Overview

Source
ID
GO-2021-0227
Aliases
CVE-2020-29652
GHSA-3vm4-22fp-5rfm
Affected package

Description

Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

Summary

48.92k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
7.33k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
3.71%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0, Fixed: 0.0.0-20201216223049-8b5274cf687f
Patched/Unaffected
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
Affected