Vulnerability Report: GO-2022-0229

CVE-2020-7919, GHSA-cjjc-xp8v-855w
Affects: crypto/x509, golang.org/x/crypto
Published: Jul 06, 2022
Modified: Jun 12, 2023

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

Affected Packages

Path

Versions

Symbols
crypto/x509

before go1.12.16, from go1.13.0-0 before go1.13.7

all symbols
golang.org/x/crypto/cryptobyte

before v0.0.0-20200124225646-8b5121be2f68

all symbols

Aliases

CVE-2020-7919
GHSA-cjjc-xp8v-855w

References

https://go.dev/cl/216680
https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
https://go.dev/cl/216677
https://go.dev/issue/36837
https://groups.google.com/g/golang-announce/c/Hsw4mHYc470
https://vuln.go.dev/ID/GO-2022-0229.json

Credits

Project Wycheproof

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL