CVE-2020-7919
Aliases:GHSA-cjjc-xp8v-855wBIT-golang-2020-7919GO-2022-0229
Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 16 Mar 2020, 20:55
Last modified:04 Aug 2024, 09:48
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.8 HIGH
v2.0 (nvd)
EPSS Score
0.7% LOW
1% probability -0.15%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Mar 2020, 20:55
Published
Vulnerability first disclosed
04 Aug 2024, 09:48
Last Modified
Vulnerability information updated
Description
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•HIGH•Score: 7.8AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 0.70%• Percentile: 72%
Techniques & Countermeasures
- CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
Affected Systems
- debian•debian_linux
10.0
- fedoraproject•fedora
31
- github.com/helm•helm
≥ 2.0.0, < 2.16.8
- golang•go
≥ 1.12, < 1.12.6 | ≥ 1.13, < 1.13.7
- golang.org/x•crypto
< 0.0.0-20200124225646-8b5121be2f68
- helm.sh/helm•v3
≥ 3.0.0, < 3.1.0
- Go•stdlib
≥ 1.13.0-0, < 1.13.7
- netapp•cloud_insights_telegraf
na
References (21)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC/
- https://groups.google.com/forum/#%21forum/golang-announce
- https://www.debian.org/security/2021/dsa-4848
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://groups.google.com/forum/#%21topic/golang-announce/-sdUB4VEQkA
- https://groups.google.com/forum/#%21topic/golang-announce/Hsw4mHYc470
- https://security.netapp.com/advisory/ntap-20200327-0001/
- https://github.com/helm/helm/security/advisories/GHSA-cjjc-xp8v-855w
- https://nvd.nist.gov/vuln/detail/CVE-2020-7919
- https://github.com/helm/helm
- https://go.dev/cl/216677
- https://go.dev/cl/216680
- https://go.dev/issue/36837
- https://go.googlesource.com/go/+/b13ce14c4a6aa59b7b041ad2b6eed2d23e15b574
- https://groups.google.com/forum/#!forum/golang-announce
- https://groups.google.com/forum/#!topic/golang-announce/-sdUB4VEQkA
- https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470
- https://groups.google.com/g/golang-announce/c/Hsw4mHYc470
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC
- https://pkg.go.dev/vuln/GO-2022-0229
- https://security.netapp.com/advisory/ntap-20200327-0001