Improper Signature Verification Affecting github.com/golang/crypto package, versions <0.0.0-20200220183623-bac4c82f6975


0.0
high
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMGOLANGCRYPTO-551925

  • published

    21 Feb 2020

  • disclosed

    21 Feb 2020

  • credit

    Alex Gaynor

How to fix?

Upgrade github.com/golang/crypto to version 0.0.0-20200220183623-bac4c82f6975 or higher.

Overview

github.com/golang/crypto is a SSH client and server

Affected versions of this package are vulnerable to Improper Signature Verification. An attacker can craft an ssh-ed25519 or sk-ssh-...@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client.