{"id":"GO-2021-0227","summary":"Panic on crafted authentication request message in golang.org/x/crypto/ssh","details":"Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.","aliases":["CVE-2020-29652","GHSA-3vm4-22fp-5rfm"],"modified":"2026-02-04T03:17:50.287206Z","published":"2022-02-17T17:35:32Z","related":["CGA-hp7g-jcw7-c892"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2021-0227"},"references":[{"type":"FIX","url":"https://go.dev/cl/278852"},{"type":"FIX","url":"https://go.googlesource.com/crypto/+/8b5274cf687fd9316b4108863654cc57385531e8"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1"}],"affected":[{"package":{"name":"golang.org/x/crypto","ecosystem":"Go","purl":"pkg:golang/golang.org/x/crypto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20201216223049-8b5274cf687f"}]}],"ecosystem_specific":{"imports":[{"symbols":["NewServerConn","connection.serverAuthenticate"],"path":"golang.org/x/crypto/ssh"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0227.json"}}],"schema_version":"1.7.3","credits":[{"name":"Joern Schneewesiz (GitLab Security Research Team)"}]}