Vulnerability Report: GO-2021-0356

CVE-2022-27191, GHSA-8c26-wmh5-6g9v
Affects: golang.org/x/crypto
Published: Apr 25, 2022
Modified: May 20, 2024

Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected.

Affected Packages

Path

Go Versions

Symbols
golang.org/x/crypto/ssh

before v0.0.0-20220314234659-1baeb1ce4c0b
- ServerConfig.AddHostKey

Aliases

CVE-2022-27191
GHSA-8c26-wmh5-6g9v

References

https://go.dev/cl/392355
https://go.googlesource.com/crypto/+/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
https://groups.google.com/g/golang-announce
https://groups.google.com/g/golang-announce/c/-cp44ypCT5s
https://vuln.go.dev/ID/GO-2021-0356.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL