CVE-2017-3204

The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.

Published: Apr 4, 2017
Updated: May 9, 2024
CVE: CVE-2017-3204
GHSA: GHSA-xhjq-w7xm-p8qj
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
golang / crypto	-	2017-03-17.x
golang.org/x/crypto	-	0.0.0-20170330155735-e4e2799dd7aa

http://www.securityfocus.com/bid/97481
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
https://github.com/golang/go/issues/19767
https://go.dev/cl/340830
https://go.dev/issue/19767
https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
https://godoc.org/golang.org/x/crypto/ssh
https://pkg.go.dev/vuln/GO-2020-0013
https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204

Vulnerability Database

289,599

CVE-2017-3204