CVE-2020-7919 : Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package be

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

Published 2020-03-16 21:15:13

Updated 2021-06-14 18:15:33

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-7919

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Insights Telegraf » Version: N/A
cpe:2.3:a:netapp:cloud_insights_telegraf:-:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions from including (>=) 1.13 and before (<) 1.13.7
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions from including (>=) 1.12 and before (<) 1.12.6
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-7919

EPSS FAQ

0.63%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 68 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7919

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-7919

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-7919

https://www.debian.org/security/2021/dsa-4848

Debian -- Security Information -- DSA-4848-1 golang-1.11
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200327-0001/

CVE-2020-7919 Golang Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S43VLYRURELDWX4D5RFOYBNFGO6CGBBC/

[SECURITY] Fedora 31 Update: golang-1.13.9-1.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021

CVEs referencing this url
https://groups.google.com/forum/#!topic/golang-announce/Hsw4mHYc470

[security] Go 1.13.7 and Go 1.12.16 are released - Google Groepen
Mailing List;Vendor Advisory
https://groups.google.com/forum/#!forum/golang-announce

golang-announce - Google Groepen
Mailing List;Vendor Advisory

CVEs referencing this url
https://groups.google.com/forum/#!topic/golang-announce/-sdUB4VEQkA

Google Groepen
Mailing List;Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-7919

Products affected by CVE-2020-7919

Exploit prediction scoring system (EPSS) score for CVE-2020-7919

CVSS scores for CVE-2020-7919

CWE ids for CVE-2020-7919

References for CVE-2020-7919