Miggo Logo

CVE-2019-11841: Golang/x/crypto message forgery vulnerability

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.59311%
Published
5/24/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
golang.org/x/cryptogo< 0.0.0-20190424203555-c05e17bb3b2d0.0.0-20190424203555-c05e17bb3b2d

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Decode function's failure to properly handle Armor Headers as specified in RFC 4880. The commit c05e17bb3b2d shows critical validation was added to: 1) Reject non-Hash headers 2) Check for control characters 3) Validate header formatting 4) Verify message structure integrity. The original implementation's lack of these validations made header spoofing and message injection possible. The Decode function is directly responsible for parsing signed messages, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* m*ss***-*or**ry issu* w*s *is*ov*r** in `*rypto/op*np*p/*l**rsi*n/*l**rsi*n.*o` in suppl*m*nt*ry *o *rypto*r*p*y li*r*ri*s ****-**-**. ***or*in* to t** Op*nP*P M*ss*** *orm*t sp**i*i**tion in R** **** ***pt*r *, * *l**rt*xt si*n** m*ss*** **n *ont*

Reasoning

T** vuln*r**ility st*ms *rom t** `***o**` *un*tion's **ilur* to prop*rly **n*l* *rmor *****rs *s sp**i*i** in R** ****. T** *ommit `************` s*ows *riti**l v*li**tion w*s ***** to: *) R*j**t non-**s* *****rs *) ****k *or *ontrol ***r**t*rs *) `V