CVE-2017-8932
Public on 2017-07-06
Modified on 2017-07-14
Description
A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could possibly use this flaw to extract private keys when static ECDH was used.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | golang | 2017-07-13 | ALAS-2017-857 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.8 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |