CVE-2020-29652
Public on 2020-12-17
Modified on 2022-08-05
Description
A null pointer dereference vulnerability was found in golang. When using the library's ssh server without specifying an option for GSSAPIWithMICConfig, it is possible for an attacker to craft an ssh client connection using the authentication method and cause the server to panic resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | golang | 2022-07-28 | ALAS2-2022-1830 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |