Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-16875

Опубликовано: 13 дек. 2018
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Отчет

This issue affects the version of golang package in Red Hat Enterprise Linux 7. The golang package, previously available in the Optional channel, will no longer receive updates in Red Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-deprecated_functionality_in_rhel7#idm139716309923696

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2golangAffected
Red Hat Ceph Storage 3golangAffected
Red Hat Enterprise Linux 7golangWill not fix
Red Hat Enterprise Linux 8go-toolset:rhel8/golangNot affected
Red Hat OpenShift Container Platform 3.10atomic-openshiftFix deferred
Red Hat OpenShift Container Platform 3.11atomic-openshiftNot affected
Red Hat OpenShift Container Platform 3.7atomic-openshiftOut of support scope
Red Hat OpenShift Container Platform 3.9atomic-openshiftFix deferred
Red Hat OpenShift Container Platform 4openshiftNot affected
Red Hat OpenStack Platform 8 (Liberty) Operational ToolsgolangNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1657565golang: crypto/x509 allows for denial of service via crafted TLS client certificate

EPSS

Процентиль: 82%
0.01689
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-16875

CVSS3: 5.9
ubuntu
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

nvd логотип

CVE-2018-16875

CVSS3: 5.9
nvd
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

debian логотип

CVE-2018-16875

CVSS3: 5.9
debian
около 7 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 d ...

github логотип

GHSA-8gx8-4ch8-vgp8

CVSS3: 7.5
github
больше 3 лет назад

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

fstec логотип

BDU:2020-01889

CVSS3: 7.5
fstec
около 7 лет назад

Уязвимость пакета crypto/x509 языка программирования Go, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 82%
0.01689
Низкий

7.5 High

CVSS3