CVE-2019-17596

high

Description

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

References

https://www.debian.org/security/2019/dsa-4551

https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46

https://security.netapp.com/advisory/ntap-20191122-0005/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/

https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html

https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ

https://github.com/golang/go/issues/34960

https://access.redhat.com/errata/RHSA-2020:0329

https://access.redhat.com/errata/RHSA-2020:0101

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html

Details

Source: Mitre, NVD

Published: 2019-10-24

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

Detections

Analytics