Description
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_misc
https://godoc.org/golang.org/x/crypto/ssh
Third Party Advisory x_refsource_confirm
https://github.com/golang/go/issues/19767
Third Party Advisory x_refsource_misc
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97481
Scores
CVSS v3
8.1
EPSS
0.0045
EPSS Percentile
64.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-310
Status
published
Products (3)
Go/SSH library
prior to commit e4e2799
golang/crypto
< 2017-03-17
x/crypto
0 - 0.0.0-20170330155735-e4e2799dd7aaGo
Published
Apr 04, 2017
Tracked Since
Feb 18, 2026