Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability patch (golang.org/x/crypto/ssh) #152

Closed
sam-caldwell opened this issue Jan 22, 2024 · 1 comment · Fixed by #155
Closed

Vulnerability patch (golang.org/x/crypto/ssh) #152

sam-caldwell opened this issue Jan 22, 2024 · 1 comment · Fixed by #155
Labels
bug Something isn't working

Comments

@sam-caldwell
Copy link
Contributor

Describe the bug
A publicly known security vulnerability exists for golang.org/x/[email protected] with CVSS 5.9 which could allow an attacker to bypass ssh authentication by capture-replay. This vulnerability is fixed in 0.17.0. The latest version is 0.18.0. The vulnerability has a published proof of concept.

To Reproduce
Steps to reproduce the behavior:

  1. This defect can be identified using Snyk or any other code scanner.

Expected behavior
The vulnerability should not be detected by snyk

Screenshots
N/A

Environment that you use to compile (please complete the following information):
N/A

Additional context
@sam-caldwell sam-caldwell added the bug Something isn't working label Jan 22, 2024
This was referenced Jan 22, 2024
Merged
Closed
@Code-Hex
Copy link
Owner

Thanks for creating this issue.
To be clear I didn't use this package for production. Used only in testing.

So my recognition is this is not critical. However I understand better to update this package :D

cfergeau pushed a commit to cfergeau/vz that referenced this issue Jan 24, 2024
@sam-caldwell @cfergeau
Update go.mod
5c5cbf0 
Bump version of golang.org/x/crypto to 0.18.0 to address authentication bypass vulnerability.

This fixes Code-Hex#152
@cfergeau cfergeau mentioned this issue Jan 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update go.mod cfergeau/vz
2 participants
@Code-Hex @sam-caldwell