[GO-2022-0435] Panic due to large inputs affecting P-256 curves in crypto/elliptic

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or
P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

Package	Affected Version
pkg:golang/crypto/elliptic	>= 1.18.0, < 1.17.9
pkg:golang/crypto/elliptic	>= 1.18.0, < 1.18.1

Package	Fixed Version
pkg:golang/crypto/elliptic	= 1.17.9
pkg:golang/crypto/elliptic	= 1.18.1

ID

GO-2022-0435

Severity

high

Severity from

CVE-2022-28327

URL

https://pkg.go.dev/vuln/GO-2022-0435

Published

2022-08-12T17:19:52
(2 years ago)

Modified

2024-07-17T19:54:18
(2 months ago)

Other Advisories

Type	Package URL	Namespace	Name / Product	Version
Fixed	pkg:golang/crypto/elliptic	crypto	elliptic	= 1.17.9
Affected	pkg:golang/crypto/elliptic	crypto	elliptic	>= 1.18.0 < 1.17.9
Fixed	pkg:golang/crypto/elliptic	crypto	elliptic	= 1.18.1
Affected	pkg:golang/crypto/elliptic	crypto	elliptic	>= 1.18.0 < 1.18.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date