CVE-2017-3204 – golang.org/x/crypto

Package

Manager: go
Name: golang.org/x/crypto
Vulnerable Version: >=0 <0.0.0-20170330155735-e4e2799dd7aa

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01811 pctl0.82125

Details

golang.org/x/crypto/ssh Man-in-the-Middle attack The Go SSH library (golang.org/x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks if ClientConfig.HostKeyCallback is not set. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Metadata

Created: 2023-02-07T22:39:34Z
Modified: 2024-04-19T21:43:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-xhjq-w7xm-p8qj/GHSA-xhjq-w7xm-p8qj.json
CWE IDs: []
Alternative ID: GHSA-xhjq-w7xm-p8qj
Finding: F163
Auto approve: 1