5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.016 Low
EPSS
Percentile
87.3%
Severity: High
Date : 2020-11-17
CVE-ID : CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
Package : go
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1278
The package go before version 2:1.15.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Upgrade to 2:1.15.5-1.
The problems have been fixed upstream in version 1.15.5.
None.
A flaw was found in go before 1.15.5 where a number of math/big.Int
methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt,
Jacobi, and GCD) can panic when provided crafted large inputs. For the
panic to happen, the divisor or modulo argument must be larger than
3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit
architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify
may panic when provided crafted public keys and signatures.
crypto/ecdsa and crypto/elliptic operations may only be affected if
custom CurveParams with unusually large field sizes (several times
larger than the largest supported curve, P-521) are in use. Using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
panic, even if the certificates donβt chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients
can be made to crash by an HTTPS server, while net/http servers that
accept client certificates will recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509
certificate request or during a golang.org/x/crypto/otr conversation.
Parsing a golang.org/x/crypto/openpgp Entity or verifying a signature
may crash. Finally, a golang.org/x/crypto/ssh client can panic due to a
malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority
accepts a certificate with a malformed public key.
A flaw was found in go beforer 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.
A flaw was found in go before 1.15.5 where the go command may execute
arbitrary code at build time when cgo is in use. This may occur when
running go get on a malicious package, or any other command that builds
untrusted code.
A local attacker might be able to crash the program via a crafted
input. In addition a remote attacker might be able to execute arbitrary
code when go get is run on a malicious package, or untrusted code is
built via any other command.
https://github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d
https://github.com/golang/go/issues/42554
https://github.com/golang/go/issues/42562
https://github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102
https://github.com/golang/go/issues/42558
https://github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605
https://security.archlinux.org/CVE-2020-28362
https://security.archlinux.org/CVE-2020-28366
https://security.archlinux.org/CVE-2020-28367
github.com/golang/go/commit/32159824698a82a174b60a6845e8494ae3243102
github.com/golang/go/commit/84150d0af193a7ccd733b3c7fa5787f43125cd2d
github.com/golang/go/commit/ec06b6d6be568ce1591d91a0ea4f14c190d06605
github.com/golang/go/issues/42554
github.com/golang/go/issues/42558
github.com/golang/go/issues/42562
security.archlinux.org/AVG-1278
security.archlinux.org/CVE-2020-28362
security.archlinux.org/CVE-2020-28366
security.archlinux.org/CVE-2020-28367
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
0.016 Low
EPSS
Percentile
87.3%