Vulnerability Report: GO-2023-1992

CVE-2019-11841, GHSA-x3jr-pf6g-c48f
Affects: golang.org/x/crypto
Published: Aug 23, 2023
Modified: May 20, 2024

The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message. With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.

Affected Packages

Path

Go Versions

Symbols
golang.org/x/crypto/openpgp/clearsign

before v0.0.0-20190424203555-c05e17bb3b2d
- Decode

Aliases

CVE-2019-11841
GHSA-x3jr-pf6g-c48f

References

https://go-review.git.corp.google.com/c/crypto/+/173778
https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
https://groups.google.com/d/msg/golang-openpgp/6vdgZoTgbIY/K6bBY9z3DAAJ
https://vuln.go.dev/ID/GO-2023-1992.json

Credits

Aida Mynzhasova (SEC Consult Vulnerability Lab)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL