Vulnerability Report: GO-2022-0217
- CVE-2019-6486
- Affects: crypto/elliptic
- Published: May 24, 2022
- Modified: Jun 12, 2023
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
Affected Packages
-
PathVersionsSymbols
-
before go1.10.8, from go1.11.0-0 before go1.11.5all symbols
Aliases
References
- https://go.dev/cl/159218
- https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20
- https://go.dev/issue/29903
- https://groups.google.com/g/golang-announce/c/mVeX35iXuSw
- https://vuln.go.dev/ID/GO-2022-0217.json
Credits
- Wycheproof Project
Feedback
See anything missing or incorrect?
Suggest an edit to this report.