CVE-2022-23806

Опубликовано: 11 фев. 2022

Источник: debian

EPSS Низкий

Описание

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
golang-1.18	fixed	1.18~rc1-1		package
golang-1.17	fixed	1.17.7-1		package
golang-1.15	removed			package
golang-1.15	fixed	1.15.15-1~deb11u3	bullseye	package
golang-1.11	removed			package
golang-1.8	removed			package
golang-1.7	removed			package

Примечания

https://github.com/golang/go/issues/50974
https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
https://github.com/golang/go/commit/e16331902340c02bdf1831b5508df2307b871ef6 (go1.17.7)

EPSS

Процентиль: 4%

0.00022

Низкий

Связанные уязвимости

CVE-2022-23806

CVSS3: 9.1

ubuntu

больше 3 лет назад

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVE-2022-23806

CVSS3: 7.1

redhat

больше 3 лет назад

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVE-2022-23806

CVSS3: 9.1

nvd

больше 3 лет назад

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

CVE-2022-23806

CVSS3: 9.1

msrc

больше 3 лет назад

Описание отсутствует

GHSA-8c83-vp4v-h7fq

CVSS3: 9.1

github

больше 3 лет назад

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

EPSS

Процентиль: 4%

0.00022

Низкий