CVE-2018-16875

high

Description

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

References

Advisories
More

https://security.gentoo.org/glsa/201812-09

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875

http://www.securityfocus.com/bid/106230

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0

Details

Source: Mitre, NVD

Published: 2018-12-14

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.03484