x/vulndb: potential Go vuln in golang.org/x/crypto: CVE-2023-48795

[tatianab]

Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise the integrity of the secure channel before it was established, allowing them to prevent transmission of a number of messages immediately after the secure channel was established without either side being aware.

The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features.

This protocol weakness was also fixed in OpenSSH 9.6.

Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum for reporting this issue.

This is CVE-2023-48795 and Go issue https://go.dev/issue/64784.

[gopherbot]

Change https://go.dev/cl/550858 mentions this issue: data/reports: add GO-2023-2402.yaml