Resource exhaustion in Go programming language - CVE-2019-6486
Published: January 24, 2019 / Updated: January 28, 2019
Vulnerability identifier: #VU17245
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-6486
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Google
Affected software:
Go programming language
Go programming language
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves due to insufficient validation of user-supplied input. A remote attacker can submit specially crafted inputs via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures, consume excessive amounts of CPU and cause the service to crash.
How to mitigate CVE-2019-6486
Install update from vendor's website.