CVE-2020-9283

HIGH

Golang Package SSH - Signature Verification Bypass

Title source: rule

Description

golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

Exploits (2)

exploitdb WORKING POC

by Mark Adams · pythondoslinux

https://www.exploit-db.com/exploits/48121

View Code ZIP pw:eip

nomisec WORKING POC 5 stars

by brompwnie · poc

https://github.com/brompwnie/CVE-2020-9283

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html

[Mailing List] https://groups.google.com/forum/#%21topic/golang-announce/3L45YRc91SY

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/06/msg00017.html

Scores

CVSS v3 7.5

EPSS 0.1868

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-347

Status published

Products (3)

debian/debian_linux 9.0

golang/package_ssh 0.0.0-20200220183623-bac4c82f6975

x/crypto 0 - 0.0.0-20200220183623-bac4c82f6975Go

Published Feb 20, 2020

Tracked Since Feb 18, 2026