CVE-2020-9283

Description

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

How to fix CVE-2020-9283

To remediate CVE-2020-9283, upgrade the affected package to a fixed version below.

• Debian/golang-go.crypto—upgrade to 1:0.0~git20200221.2aa609c-1 or later
• —upgrade to 0.10.2+dfsg-6+deb9u1 or later
• —upgrade to 0.3.3-1+deb9u1 or later
• —upgrade to 0.0.0-20200220183623-bac4c82f6975 or later
• —upgrade to 0.0.0-20200220183623-bac4c82f6975 or later

Is CVE-2020-9283 being exploited?

Moderate — EPSS is 18.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 1:0.0~git20200221.2aa609c-1
• from 0, < 0.10.2+dfsg-6+deb9u1
• from 0, < 0.3.3-1+deb9u1
• from 0, < 0.0.0-20200220183623-bac4c82f6975
• from 0, < 0.0.0-20200220183623-bac4c82f6975

CVSS scores

References (14)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-9283
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-9283
• PATCHgithub.com/golang/crypto
• WEBpacketstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html