{ "id": "CVE-2018-16875", "sourceIdentifier": "secalert@redhat.com", "published": "2018-12-14T14:29:00.523", "lastModified": "2023-11-07T02:53:57.207", "vulnStatus": "Modified", "descriptions": [ { "lang": "en", "value": "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected." }, { "lang": "es", "value": "El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificaci\u00f3n de cadenas, lo que podr\u00eda permitir que los atacantes manipulen entradas patol\u00f3gicas que conducen a la denegaci\u00f3n de servicio (DoS) de la CPU. Los servidores TLS de Go que aceptan certificados de clientes y clientes TLS se han visto afectados." } ], "metrics": { "cvssMetricV30": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH" }, "exploitabilityScore": 3.9, "impactScore": 3.6 }, { "source": "53f830b8-0a3f-465b-8143-3b8a9948e749", "type": "Secondary", "cvssData": { "version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.2, "impactScore": 3.6 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8 }, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-295" } ] }, { "source": "53f830b8-0a3f-465b-8143-3b8a9948e749", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-20" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.10.6", "matchCriteriaId": "49A979C3-1002-477D-9874-FD5E0D1681D4" }, { "vulnerable": true, "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.11.0", "versionEndExcluding": "1.11.3", "matchCriteriaId": "7F67C474-BD21-4A3E-9F35-3D36BB6F09F4" } ] } ] }, { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3" } ] } ] } ], "references": [ { "url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html", "source": "secalert@redhat.com", "tags": [ "Third Party Advisory" ] }, { "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html", "source": "secalert@redhat.com" }, { "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html", "source": "secalert@redhat.com" }, { "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html", "source": "secalert@redhat.com" }, { "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html", "source": "secalert@redhat.com" }, { "url": "http://www.securityfocus.com/bid/106230", "source": "secalert@redhat.com", "tags": [ "Third Party Advisory", "VDB Entry" ] }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875", "source": "secalert@redhat.com", "tags": [ "Issue Tracking", "Third Party Advisory" ] }, { "url": "https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0", "source": "secalert@redhat.com" }, { "url": "https://security.gentoo.org/glsa/201812-09", "source": "secalert@redhat.com", "tags": [ "Mitigation", "Third Party Advisory" ] } ] }