CVE-2019-6486
UnknownEPSS 4.33%
Last modified
CVE-2019-6486 is a vulnerability of currently unknown severity. Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.. EPSS estimates a 4.33% chance of exploitation in the next 30 days.
Description
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.10.8 |
| Golang | Go | >= 1.11.1, < 1.11.5 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Opensuse | Leap | 15.0 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.htmlThird Party Advisory
- http://www.securityfocus.com/bid/106740Third Party Advisory, VDB Entry
- https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360Patch, Third Party Advisory
- https://github.com/golang/go/issues/29903Third Party Advisory
- https://github.com/google/wycheproofThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/02/msg00009.htmlMailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4379Third Party Advisory
- https://www.debian.org/security/2019/dsa-4380Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.htmlThird Party Advisory
- http://www.securityfocus.com/bid/106740Third Party Advisory, VDB Entry
- https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360Patch, Third Party Advisory
- https://github.com/golang/go/issues/29903Third Party Advisory
- https://github.com/google/wycheproofThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/02/msg00009.htmlMailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4379Third Party Advisory
- https://www.debian.org/security/2019/dsa-4380Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-6486?
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
How severe is CVE-2019-6486?
Severity scoring for CVE-2019-6486 is pending analysis. The EPSS model estimates a 4.33% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6486?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-6486?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST