CVE-2022-23806

Public on 2022-02-11
Modified on 2024-03-31
Description
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
Severity
Medium severity
Medium
CVSS v3 Base Score
8.2
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 golang 2022-09-15 ALAS-2022-1635 Fixed
Amazon Linux 1 golang 2023-02-15 ALAS-2023-1685 Fixed
Amazon Linux 2 - Core golang 2022-04-25 ALAS2-2022-1776 Fixed
Amazon Linux 2 - Core golang 2022-07-06 ALAS2-2022-1811 Fixed
Amazon Linux 2 - Core golang 2022-07-28 ALAS2-2022-1830 Fixed
Amazon Linux 2 - Golang1.19 Extra golang 2023-08-07 ALAS2GOLANG1.19-2023-002 Fixed
Amazon Linux 2023 golang 2023-02-17 ALAS2023-2023-048 Fixed
Amazon Linux 2023 golang 2023-04-27 ALAS2023-2023-175 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
NVD CVSSv2 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P
NVD CVSSv3 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Red Hat: CVE-2022-23806 Mitre: CVE-2022-23806