Elliptic Curve Issue in Go Crypto Library
CVE-2022-23806

9.1CRITICAL

Key Information:

Vendor: Golang
Status: Go
Vendor: CVE Published:; 11 February 2022

What is CVE-2022-23806?

The Curve.IsOnCurve function in the crypto/elliptic package of Go may yield incorrect results by returning true for big.Int values that don't qualify as valid field elements. This flaw can lead to undermined security expectations when leveraging elliptic curve cryptography in Go, potentially exposing systems to risk. It is crucial for users of affected Go versions to apply security updates to mitigate this vulnerability.

References

https://lists.debian.org/debian-lts-announce/2022/04/msg0...

mailing-list

https://lists.debian.org/debian-lts-announce/2022/04/msg0...

mailing-list

https://www.oracle.com/security-alerts/cpujul2022.html

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2022
Vulnerability Reserved
Jan 21, 2022

Golang

What is CVE-2022-23806?

References

CVSS V3.1

Timeline