Vulnerability Details : CVE-2018-16875
Potential exploit
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2018-16875
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16875
3.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16875
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2018-16875
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-16875
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
[security-announce] openSUSE-SU-2019:1079-1: important: Security updateThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875
1657565 – (CVE-2018-16875) CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificateIssue Tracking;Third Party Advisory
-
https://security.gentoo.org/glsa/201812-09
Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo securityMitigation;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
[security-announce] openSUSE-SU-2019:1444-1: important: Security update
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update f
-
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
[security] Go 1.11.3 and Go 1.10.6 are released - Google GroepenThird Party Advisory
-
http://www.securityfocus.com/bid/106230
Golang Go CVE-2018-16875 Remote Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
[security-announce] openSUSE-SU-2019:1506-1: important: Security update
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
[security-announce] openSUSE-SU-2019:1499-1: important: Security update
Jump to