Fluid Attacks Database

Description

golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/crypto	>=0 <0.0.0-20201216223049-8b5274cf687f	0.0.0-20201216223049-8b5274cf687f
go	golang.org/x/crypto/ssh	>=0 <0.0.0-20201216223049-8b5274cf687f	0.0.0-20201216223049-8b5274cf687f
debian 11	golang-go.crypto	>=0 <1:0.0~git20201221.eec23a3-1	1:0.0~git20201221.eec23a3-1
debian 12	golang-go.crypto	>=0 <1:0.0~git20201221.eec23a3-1	1:0.0~git20201221.eec23a3-1
debian 13	golang-go.crypto	>=0 <1:0.0~git20201221.eec23a3-1	1:0.0~git20201221.eec23a3-1
debian 14	golang-go.crypto	>=0 <1:0.0~git20201221.eec23a3-1	1:0.0~git20201221.eec23a3-1
rpm rhel7	gomtree	-	-

Aliases

1. CVE-2020-296522. NVD-2020-296523. OSV-2020-296524. OSV-DEBIAN-2020-296525. GHSA-3vm4-22fp-5rfm6. GCVE-2020-296527. SECURITY-TRACKER-CVE-2020-29652

References

1. https://go-review.googlesource.com/c/crypto/+/2788522. https://go.dev/cl/2788523. https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e84. https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=15. https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E6. https://pkg.go.dev/vuln/GO-2021-0227