CVE-2019-17596

HIGH

GO < 1.12.11 - Interpretation Conflict

Title source: rule

Description

Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.

Exploits (1)

nomisec WORKING POC 1 stars

by pquerna · poc

https://github.com/pquerna/poc-dsa-verify-CVE-2019-17596

View Code ZIP pw:eip

References (13)

[Release Notes, Third Party Advisory] https://groups.google.com/d/msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://github.com/golang/go/issues/34960

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4551

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VS3HPSE25ZSGS4RSOTADC67YNOHIGVV/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVOWGM7IQGRO7DS2MCUMYZRQ4TYOZNAS/

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00043.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00044.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20191122-0005/

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0101

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0329

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

[Third Party Advisory] https://www.arista.com/en/support/advisories-notices/security-advisories/10134-security-advisory-46

Scores

CVSS v3 7.5

EPSS 0.0234

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-436

Status published

Products (17)

arista/cloudvision_portal 2019.1.0

arista/cloudvision_portal 2019.1.1

arista/cloudvision_portal 2019.1.2

arista/cloudvision_portal 2018.1.0 - 2018.2.3

arista/eos < 4.23.1f

arista/mos < 0.25

arista/terminattr < 1.7.2

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 30

... and 7 more

Published Oct 24, 2019

Tracked Since Feb 18, 2026