CVE-2022-23806
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/02/2022
Last modified:
20/04/2023
Description
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | 1.16.14 (excluding) | |
| cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* | 1.17.0 (including) | 1.17.7 (excluding) |
| cpe:2.3:a:netapp:beegfs_csi_driver:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:cloud_insights_telegraf_agent:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:kubernetes_monitoring_operator:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ
- https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
- https://security.gentoo.org/glsa/202208-02
- https://security.netapp.com/advisory/ntap-20220225-0006/
- https://www.oracle.com/security-alerts/cpujul2022.html