NVD - CVE-2019-6486

CVE-2019-6486 Detail

Current Description

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.

Source: MITRE
Description Last Modified: 01/24/2019
View Analysis Description

Impact

CVSS v3.0 Severity and Metrics:

Base Score: 8.2 HIGH
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H (V3 legend)
Impact Score: 4.2
Exploitability Score: 3.9

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): High

CVSS v2.0 Severity and Metrics:

Base Score: 6.4 MEDIUM
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) (V2 legend)
Impact Subscore: 4.9
Exploitability Subscore: 10.0

Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): None
Availability (A): Partial
Additional Information:
Allows unauthorized disclosure of information
Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00042.html	Third Party Advisory
http://www.securityfocus.com/bid/106740	Third Party Advisory VDB Entry
https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360	Patch Third Party Advisory
https://github.com/golang/go/issues/29903	Third Party Advisory
https://github.com/google/wycheproof	Third Party Advisory
https://groups.google.com/forum/#!topic/golang-announce/mVeX35iXuSw	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00009.html	Mailing List Third Party Advisory
https://www.debian.org/security/2019/dsa-4379	Third Party Advisory
https://www.debian.org/security/2019/dsa-4380	Third Party Advisory

Technical Details

Vulnerability Type (View All)

Uncontrolled Resource Consumption ('Resource Exhaustion') (CWE-400)

Known Affected Software Configurations Switch to CPE 2.2

Configuration 1 ( hide )

cpe:2.3:a:golang:go:::::::: Show Matching CPE(s)	Up to (excluding) 1.10.8
cpe:2.3:a:golang:go:::::::: Show Matching CPE(s)	From (including) 1.11.1	Up to (excluding) 1.11.5

Configuration 2 ( hide )

cpe:2.3:o:debian:debian_linux:8.0:::::::* Show Matching CPE(s)
cpe:2.3:o:debian:debian_linux:9.0:::::::* Show Matching CPE(s)

Configuration 3 ( hide )

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Show Matching CPE(s)

Change History

8 change records found - show changes

Modified Analysis - 2/26/2019 1:36:47 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:o:debian:debian_linux:8.0::::::: cpe:2.3:o:debian:debian_linux:9.0:::::::
Changed	CVSS V2	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	(AV:N/AC:L/Au:N/C:P/I:N/A:P)
Changed	CVSS V3	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Added	CWE		CWE-400
Removed	CWE	CWE-399
Changed	Reference Type	http://www.securityfocus.com/bid/106740 No Types Assigned	http://www.securityfocus.com/bid/106740 Third Party Advisory, VDB Entry
Changed	Reference Type	https://lists.debian.org/debian-lts-announce/2019/02/msg00009.html No Types Assigned	https://lists.debian.org/debian-lts-announce/2019/02/msg00009.html Mailing List, Third Party Advisory
Changed	Reference Type	https://www.debian.org/security/2019/dsa-4379 No Types Assigned	https://www.debian.org/security/2019/dsa-4379 Third Party Advisory
Changed	Reference Type	https://www.debian.org/security/2019/dsa-4380 No Types Assigned	https://www.debian.org/security/2019/dsa-4380 Third Party Advisory

Initial Analysis - 1/25/2019 11:26:57 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:a:golang:go::::::::* versions up to (excluding) 1.10.8 cpe:2.3:a:golang:go::::::::* versions from (including) 1.11.1 up to (excluding) 1.11.5
Added	CVSS V2		(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Added	CVSS V3		AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Added	CWE		CWE-399
Changed	Reference Type	https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360 No Types Assigned	https://github.com/golang/go/commit/42b42f71cf8f5956c09e66230293dfb5db652360 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/golang/go/issues/29903 No Types Assigned	https://github.com/golang/go/issues/29903 Third Party Advisory
Changed	Reference Type	https://groups.google.com/forum/#!topic/golang-announce/mVeX35iXuSw No Types Assigned	https://groups.google.com/forum/#!topic/golang-announce/mVeX35iXuSw Mailing List, Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2019-6486
NVD Published Date:
01/24/2019
NVD Last Modified:
04/18/2019

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2019-6486 Detail

Current Description

Analysis Description

Impact

References to Advisories, Solutions, and Tools

Technical Details

Known Affected Software Configurations Switch to CPE 2.2

Change History

Modified Analysis - 4/18/2019 4:08:40 PM

CVE Modified by MITRE - 4/5/2019 5:29:04 PM

CVE Modified by MITRE - 3/21/2019 12:01:08 PM

Modified Analysis - 2/26/2019 1:36:47 PM

CVE Modified by MITRE - 2/7/2019 6:29:13 AM

CVE Modified by MITRE - 2/2/2019 6:29:01 AM

CVE Modified by MITRE - 1/29/2019 6:29:02 AM

Initial Analysis - 1/25/2019 11:26:57 AM

Quick Info