VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-7cpq-eu6x-ryeq

Essentials
Severities (41)
References (17)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-7cpq-eu6x-ryeq
Aliases	CVE-2017-3204 GHSA-xhjq-w7xm-p8qj
Summary	golang.org/x/crypto/ssh Man-in-the-Middle attack The Go SSH library (golang.org/x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks if ClientConfig.HostKeyCallback is not set. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
cvssv3	4.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss	0.01811	https://api.first.org/data/v1/epss?cve=CVE-2017-3204
cvssv3.1	8.1	https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
generic_textual	HIGH	https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
cvssv3.1	8.1	https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
generic_textual	HIGH	https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
cvssv3.1	8.1	https://github.com/golang/go/issues/19767
generic_textual	HIGH	https://github.com/golang/go/issues/19767
cvssv3.1	8.1	https://go.dev/cl/340830
generic_textual	HIGH	https://go.dev/cl/340830
cvssv3.1	8.1	https://go.dev/cl/38701
generic_textual	HIGH	https://go.dev/cl/38701
cvssv3.1	8.1	https://go.dev/issue/19767
generic_textual	HIGH	https://go.dev/issue/19767
cvssv3.1	8.1	https://godoc.org/golang.org/x/crypto/ssh
generic_textual	HIGH	https://godoc.org/golang.org/x/crypto/ssh
cvssv3.1	8.1	https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
generic_textual	HIGH	https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2017-3204
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2017-3204
cvssv3.1	8.1	https://pkg.go.dev/vuln/GO-2020-0013
generic_textual	HIGH	https://pkg.go.dev/vuln/GO-2020-0013
cvssv3.1	8.1	https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
generic_textual	HIGH	https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
cvssv3.1	8.1	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
generic_textual	HIGH	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json
		https://api.first.org/data/v1/epss?cve=CVE-2017-3204
		https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
		https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
		https://github.com/golang/go/issues/19767
		https://go.dev/cl/340830
		https://go.dev/cl/38701
		https://go.dev/issue/19767
		https://godoc.org/golang.org/x/crypto/ssh
		https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
		https://nvd.nist.gov/vuln/detail/CVE-2017-3204
		https://pkg.go.dev/vuln/GO-2020-0013
		https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
		https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
1439748		https://bugzilla.redhat.com/show_bug.cgi?id=1439748
859655		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655

No exploits are available.

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://bridge.grumpy-troll.org/2017/04/golang-ssh-security

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/golang/go/issues/19767

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/cl/340830

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/cl/38701

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/issue/19767

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://godoc.org/golang.org/x/crypto/ssh

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3204

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2020-0013

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.82062
EPSS Score	0.01811
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:42:54.984966+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-xhjq-w7xm-p8qj/GHSA-xhjq-w7xm-p8qj.json	37.0.0