Fluid Attacks Database

Description

Panic due to large inputs affecting P-256 curves in crypto/elliptic A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.17.9	1.17.9
rpm rhel9	go-toolset	<0:1.17.12-1.el9_0	0:1.17.12-1.el9_0
rpm rhel7	golang	-	-
rpm rhel9	golang	<0:1.17.12-1.el9_0	0:1.17.12-1.el9_0
rpm rhel8	go-toolset	<0:1.17.10-1.module+el8.6.0+15486+6d4da7db	0:1.17.10-1.module+el8.6.0+15486+6d4da7db

Aliases

1. CVE-2022-283272. NVD-2022-283273. OSV-GO-2022-04354. OSV-2022-283275. GCVE-2022-28327

References

1. https://go.dev/cl/3971352. https://go.googlesource.com/go/+/37065847d87df92b5eb246c88ba2085efcf0b3313. https://go.dev/issue/520754. https://groups.google.com/g/golang-announce/c/oecdBNLOml8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.