GO-2022-0217
Discription

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and
P-384 elliptic curves may let an attacker craft inputs that consume
excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.Read More

References

https://go.dev/cl/159218https://go.googlesource.com/go/+/193c16a3648b8670a762e925b6ac6e074f468a20https://go.dev/issue/29903https://groups.google.com/g/golang-announce/c/mVeX35iXuSw

6.4 Medium

CVSS2

  • Access Vector
  • Access Complexity
  • Authentication
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • Partial
  • None
  • Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

8.2 High

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • None
  • Unchanged
  • Low
  • None
  • High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Back to Main
Subscribe for the latest news: