CVE-2019-17596

high-risk
Published 2019-10-24

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Do I need to act?

~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (17)

Go
Developer Tools
Cloudvision Portal
Cloudvision Portal
Cloudvision Portal
Cloudvision Portal
Terminattr
Eos
Mos

Affected Vendors

Debian Redhat Fedoraproject Opensuse Arista Golang

References (26)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0101
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0329
Exploit https://github.com/golang/go/issues/34960
Release Notes https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://security.netapp.com/advisory/ntap-20191122-0005/
Third Party Advisory https://www.arista.com/en/support/advisories-notices/security-advisories/10134-s...
Third Party Advisory https://www.debian.org/security/2019/dsa-4551
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0101
Third Party Advisory https://access.redhat.com/errata/RHSA-2020:0329
Exploit https://github.com/golang/go/issues/34960
Release Notes https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
and 6 more references
50
/ 100
high-risk
Severity 26/34 · High
Exploitability 5/34 · Minimal
Exposure 19/34 · Moderate