Back to search
CVE-2017-3204
Published: Apr 4, 2017
Modified: Aug 5, 2024
PUBLISHED
Description
The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
| Vendor | Product | Versions |
|---|---|---|
Go | SSH library | affected prior to commit e4e2799 |
Weaknesses (CWE)
References
https://godoc.org/golang.org/x/crypto/ssh
x_refsource_MISC
https://github.com/golang/go/issues/19767
x_refsource_CONFIRM
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
x_refsource_MISC
97481
vdb-entry
x_refsource_BID
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now