Vulnerability Report: GO-2021-0227

CVE-2020-29652, GHSA-3vm4-22fp-5rfm
Affects: golang.org/x/crypto
Published: Feb 17, 2022
Modified: Jun 12, 2023

Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

Affected Packages

Path

Versions

Symbols
golang.org/x/crypto/ssh

before v0.0.0-20201216223049-8b5274cf687f
- NewServerConn

Aliases

CVE-2020-29652
GHSA-3vm4-22fp-5rfm

References

https://go.dev/cl/278852
https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
https://vuln.go.dev/ID/GO-2021-0227.json

Credits

Joern Schneewesiz (GitLab Security Research Team)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL