{"id":"GO-2020-0013","summary":"Man-in-the-middle attack in golang.org/x/crypto/ssh","details":"By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.","aliases":["CVE-2017-3204","GHSA-xhjq-w7xm-p8qj"],"modified":"2024-05-20T16:03:47Z","published":"2021-04-14T20:04:52Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2020-0013","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/38701"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991"},{"type":"REPORT","url":"https://go.dev/issue/19767"},{"type":"WEB","url":"https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/"}],"affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go","purl":"pkg:golang/golang.org/x/crypto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20170330155735-e4e2799dd7aa"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/crypto/ssh","symbols":["Dial","NewClientConn"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2020-0013.json"}}],"schema_version":"1.7.3","credits":[{"name":"Phil Pennock"}]}