CVE-2020-7919

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.12.16 Go versions 1.13.x prior to 1.13.7 crypto/cryptobyte package versions prior to 0.0.0-20200124225646-8b5121be2f68

Description: The issue is related to errors in the certificate authentication procedure in the crypto/x509 and golang.org/x/crypto/cryptobyte libraries of the Go programming language. Exploitation of the issue allows a remote attacker to cause a denial of service via a malformed X.509 certificate, resulting in a panic on the client. This can be delivered through a crypto/tls connection to a client or to a server that accepts client certificates.

Recommendations: For Go versions prior to 1.12.16, update to version 1.12.16 or later. For Go versions 1.13.x prior to 1.13.7, update to version 1.13.7 or later. For crypto/cryptobyte package versions prior to 0.0.0-20200124225646-8b5121be2f68, update to version 0.0.0-20200124225646-8b5121be2f68 or later. As a temporary workaround, consider restricting access to the crypto/x509 and golang.org/x/crypto/cryptobyte libraries until a patch is available. Avoid using the crypto/tls connection to deliver malformed X.509 certificates to clients until the issue is resolved.