golang.org/x/crypto/ssh NULL Pointer Dereference vulnerability

GHSA-3vm4-22fp-5rfm · CVE-2020-29652 · GO-2021-0227

Published May 24, 2022 · Modified Feb 4, 2026

Description

A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. An attacker can craft an authentication request message for the gssapi-with-mic method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-29652
WEB https://go-review.googlesource.com/c/crypto/+/278852
WEB https://go.dev/cl/278852
WEB https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8
WEB https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
WEB https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E
WEB https://pkg.go.dev/vuln/GO-2021-0227

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes