All vulnerabilities

CVE-2022-27191

Denial of service via crafted Signer in golang.org/x/crypto/ssh

Description

Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that

  1. the Signer passed to AddHostKey does not implement AlgorithmSigner, and
  2. the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method.

Servers that only use Signer implementations provided by the ssh package are unaffected.

Patch Available

Fix available through Seal Security. 

No upgrade required, protect your application instantly.

Fix without upgrading
Score
Severity
Ecosystem
GO
Publish Date
April 25, 2022
Modified Date
May 20, 2024
Score Vector
Affected Versions