CVE-2018-16875
Last modified
CVE-2018-16875 is a vulnerability of currently unknown severity. The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.. EPSS estimates a 6.33% chance of exploitation in the next 30 days.
Description
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.10.6 |
| Golang | Go | >= 1.11.0, < 1.11.3 |
| Opensuse | Leap | 42.3 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlThird Party Advisory
- http://www.securityfocus.com/bid/106230Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875Issue Tracking, Third Party Advisory
- https://security.gentoo.org/glsa/201812-09Mitigation, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlThird Party Advisory
- http://www.securityfocus.com/bid/106230Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875Issue Tracking, Third Party Advisory
- https://security.gentoo.org/glsa/201812-09Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-16875?
How severe is CVE-2018-16875?
How do I fix CVE-2018-16875?
Are you affected by CVE-2018-16875?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST