7.5
CVSSv3

CVE-2018-16875

Published: 14/12/2018 Updated: 03/06/2019
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 694
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Summary

The crypto/x509 package of Go prior to 1.10.6 and 1.11.x prior to 1.11.3 does not limit the amount of work performed for each chain verification, which might allow malicious users to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

opensuse leap 42.3

Vendor Advisories

The crypto/x509 package of Go before 1106 and 111x before 1113 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service Go TLS servers accepting client certificates and TLS clients are affected ...
The crypto/x509 package of Go before 1106 and 111x before 1113 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service Go TLS servers accepting client certificates and TLS clients are affected ...
In Go before 1106 and 111x before 1113, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at http ...
Arch Linux Security Advisory ASA-201812-11 ========================================== Severity: High Date : 2018-12-18 CVE-ID : CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Package : go Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-835 Summary ======= The package go before version 2:1113-1 is vulnerab ...
Arch Linux Security Advisory ASA-201812-12 ========================================== Severity: High Date : 2018-12-18 CVE-ID : CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Package : go-pie Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-835 Summary ======= The package go-pie before version 2:1113-1 is ...
IBM Event Streams has addressed the following vulnerabilities in the Go Runtimes shipped ...

Github Repositories

docker release version 2020-11-09 2501 Upgrades Compose CLI v102 Snyk v14242 Bug fixes and minor changes Fixed an issue that caused Docker Desktop to crash on MacOS 110 (Big Sur) when VirtualBox was also installed See docker/for-mac#4997 2020-11-09 2500 This release contains a Kubernetes upgrade Your local Kubernetes cluster will be reset after install

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr