CVE-2019-17596
Last modified
CVE-2019-17596 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.. EPSS estimates a 4.69% chance of exploitation in the next 30 days.
Description
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | >= 1.12, < 1.12.11 |
| Golang | Go | >= 1.13, < 1.13.2 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 30 |
| Fedoraproject | Fedora | 31 |
| Redhat | Developer Tools | 1.0 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Server | 8.1 |
| Opensuse | Leap | 15.0 |
| Opensuse | Leap | 15.1 |
| Arista | Cloudvision Portal | >= 2018.1.0, <= 2018.2.3 |
| Arista | Cloudvision Portal | 2019.1.0 |
| Arista | Cloudvision Portal | 2019.1.1 |
| Arista | Cloudvision Portal | 2019.1.2 |
| Arista | Terminattr | <= 1.7.2 |
| Arista | Eos | <= 4.23.1f |
| Arista | Mos | <= 0.25 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.htmlMailing List, Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0101Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0329Third Party Advisory
- https://github.com/golang/go/issues/34960Exploit, Issue Tracking, Patch, Third Party Advisory
- https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJRelease Notes, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191122-0005/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4551Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.htmlMailing List, Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0101Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0329Third Party Advisory
- https://github.com/golang/go/issues/34960Exploit, Issue Tracking, Patch, Third Party Advisory
- https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJRelease Notes, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191122-0005/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4551Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-17596?
How severe is CVE-2019-17596?
How do I fix CVE-2019-17596?
Are you affected by CVE-2019-17596?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST