// For flags

CVE-2022-28327

golang: crypto/elliptic: panic caused by oversized scalar

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1.18.x before 1.18.1 allows a panic via long scalar input.

La característica genérica P-256 en crypto/elliptic en Go versiones anteriores a 1.17.9 y versiones 1.18.x anteriores a 1.18.1, permite un pánico por medio de una entrada escalar larga

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-04-01 CVE Reserved
  • 2022-04-20 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-29 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-190: Integer Overflow or Wraparound
CAPEC
References (14)
URL Tag Source
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://security.netapp.com/advisory/ntap-20220915-0010 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
https://groups.google.com/g/golang-announce 2023-11-07
https://groups.google.com/g/golang-announce/c/oecdBNLOml8 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NY6GEAJMNKKMU5H46QO4D7D6A24KSPXE 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR 2023-11-07
https://security.gentoo.org/glsa/202208-02 2023-11-07
https://access.redhat.com/security/cve/CVE-2022-28327 2023-07-10
https://bugzilla.redhat.com/show_bug.cgi?id=2077689 2023-07-10
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Golang
Search vendor "Golang"
 Go
Search vendor "Golang" for product "Go"
 < 1.17.9
Search vendor "Golang" for product "Go" and version " < 1.17.9"
-
Affected
Golang
Search vendor "Golang"
 Go
Search vendor "Golang" for product "Go"
 >= 1.18.0 < 1.18.1
Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.1"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Extra Packages For Enterprise Linux
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux"
 7.0
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "7.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Extra Packages For Enterprise Linux
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux"
 8.0
Search vendor "Fedoraproject" for product "Extra Packages For Enterprise Linux" and version "8.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected