NULL Pointer Dereference Affecting github.com/golang/crypto package, versions <0.0.0-20201216223049-8b5274cf687f


0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High
Expand this section
NVD
7.5 high
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMGOLANGCRYPTO-2825233
  • published 9 Jan 2022
  • disclosed 9 Jan 2022
  • credit Joern Schneewesiz

How to fix?

Upgrade github.com/golang/crypto to version 0.0.0-20201216223049-8b5274cf687f or higher.

Overview

github.com/golang/crypto is a SSH client and server

Affected versions of this package are vulnerable to NULL Pointer Dereference via a crafted authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic if ServerConfig.GSSAPIWithMICConfig is nil.