製品・ソフトウェアに関する情報
Vulnerability Search
Go における情報漏えいに関する脆弱性
Title Go における情報漏えいに関する脆弱性
Summary

Go には、情報漏えいに関する脆弱性、および暗号に関する脆弱性が存在します。

Possible impacts 情報を取得される可能性があります。
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。

Publication Date April 20, 2017, midnight
Registration Date Aug. 2, 2017, 5:42 p.m.
Last Update Aug. 2, 2017, 5:42 p.m.
CVSS3.0 : 警告
Score 5.9
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS2.0 : 警告
Score 4.3
Vector AV:N/AC:M/Au:N/C:P/I:N/A:N
Affected System
Fedora Project
Fedora 25
SUSE
SUSE Package Hub for SUSE Linux Enterprise 12
openSUSE project
openSUSE Leap 42.2
The Go Project
Go 1.7.6 未満
Go 1.8.2 未満の 1.8.x
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
No Changed Details Date of change
0 [2017年08月02日]
  掲載		 Feb. 17, 2018, 10:37 a.m.
NVD Vulnerability Information
CVE-2017-8932
Summary

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.

Publication Date July 7, 2017, 1:29 a.m.
Registration Date Jan. 26, 2021, 1:30 p.m.
Last Update Nov. 21, 2024, 12:35 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:golang:go:1.8:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* 1.7.5
Configuration2 or higher or less more than less than
cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
cpe:2.3:a:novell:suse_package_hub_for_suse_linux_enterprise:12:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List