Fluid Attacks Database

Description

x/crypto/ssh vulnerable to panic via malformed packets The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an unauthenticated attacker to panic an SSH server. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	golang.org/x/crypto/ssh	>=0 <0.0.0-20211202192323-5770296d904e	0.0.0-20211202192323-5770296d904e
debian 12	golang-go.crypto	>=0 <1:0.0~git20211202.5770296-1	1:0.0~git20211202.5770296-1
go	golang.org/x/crypto	>=0 <0.0.0-20211202192323-5770296d904e	0.0.0-20211202192323-5770296d904e
debian 11	golang-go.crypto	=1:0.0~git20201221.eec23a3-1 \|\| =1:0.0~git20210817.32db794-1 \|\| =1:0.0~git20211202.5770296-1 \|\| =1:0.0~git20220315.3147a52-1 \|\| =1:0.0~git20220829.c86fa9a-1 \|\| =1:0.0~git20220829.c86fa9a-1~bpo11+1 \|\| =1:0.1.0-1 \|\| =1:0.10.0-1 \|\| =1:0.12.0-1 \|\| =1:0.13.0-1 \|\| =1:0.14.0-1 \|\| =1:0.16.0-1 \|\| =1:0.17.0-1 \|\| =1:0.18.0-1 \|\| =1:0.19.0-1 \|\| =1:0.21.0-1 \|\| =1:0.22.0-1 \|\| =1:0.23.0-1 \|\| =1:0.24.0-1 \|\| =1:0.24.0-2 \|\| =1:0.25.0-1 \|\| =1:0.25.0-1~bpo12+1 \|\| =1:0.33.0-1~exp1 \|\| =1:0.36.0-1~exp1 \|\| =1:0.4.0-1 \|\| =1:0.41.0-1~exp1 \|\| =1:0.42.0-1 \|\| =1:0.42.0-1~exp1 \|\| =1:0.42.0-2 \|\| =1:0.42.0-3 \|\| =1:0.42.0-4 \|\| =1:0.43.0-1 \|\| =1:0.43.0-2 \|\| =1:0.45.0-1 \|\| =1:0.46.0-1 \|\| =1:0.47.0-1 \|\| =1:0.50.0-1	-
debian 13	golang-go.crypto	>=0 <1:0.0~git20211202.5770296-1	1:0.0~git20211202.5770296-1
debian 14	golang-go.crypto	>=0 <1:0.0~git20211202.5770296-1	1:0.0~git20211202.5770296-1
rpm rhel7	golang	-	-

Aliases

1. CVE-2021-435652. NVD-2021-435653. OSV-2021-435654. OSV-DEBIAN-2021-435655. GHSA-gwc9-m7rh-j2ww6. GCVE-2021-435657. SECURITY-TRACKER-CVE-2021-43565

References

1. https://groups.google.com/forum/#!forum/golang-announce2. https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs3. https://go.dev/cl/3688144. https://go.dev/issues/499325. https://pkg.go.dev/vuln/GO-2022-0968

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.