CVE-2019-11840 — MEDIUM (5.9)

Vulnerability Description

An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Golang	Crypto	-
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-330

References

https://bugzilla.redhat.com/show_bug.cgi?id=1691529Issue TrackingVendor Advisory
https://github.com/golang/go/issues/30965Third Party Advisory
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dMailing ListPatchThird Party Advisory
https://groups.google.com/forum/#%21msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJPermissions Required
https://lists.debian.org/debian-lts-announce/2019/06/msg00029.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00014.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00016.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00030.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00015.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2023/06/msg00017.htmlThird Party Advisory
https://pkg.go.dev/vuln/GO-2022-0209Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1691529Issue TrackingVendor Advisory
https://github.com/golang/go/issues/30965Third Party Advisory
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113dMailing ListPatchThird Party Advisory
https://groups.google.com/forum/#%21msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJPermissions Required

FAQ

What is CVE-2019-11840?

CVE-2019-11840 is a vulnerability with a CVSS score of 5.9 (MEDIUM). An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/c...

How severe is CVE-2019-11840?

CVE-2019-11840 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-11840?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Crypto, Debian Debian Linux.