Search for vulnerabilities
Vulnerability details: VCID-r4f9-fcbj-aaag
Vulnerability ID VCID-r4f9-fcbj-aaag
Aliases CVE-2017-3204
GHSA-xhjq-w7xm-p8qj
Summary The Go SSH library (x/crypto/ssh) by default does not verify host keys, facilitating man-in-the-middle attacks. Default behavior changed in commit e4e2799 to require explicitly registering a hostkey verification mechanism.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
generic_textual Low http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3204.html
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json
epss 0.00227 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00227 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00227 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00227 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02187 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.02351 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
epss 0.03482 https://api.first.org/data/v1/epss?cve=CVE-2017-3204
cvssv3.1 8.1 https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
generic_textual HIGH https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
generic_textual Low https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1439748
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
cvssv3.1 8.1 https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
generic_textual HIGH https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
cvssv3.1 8.1 https://github.com/golang/go/issues/19767
generic_textual HIGH https://github.com/golang/go/issues/19767
cvssv3.1 7.5 https://go.dev/cl/340830
generic_textual HIGH https://go.dev/cl/340830
cvssv3.1 8.1 https://go.dev/cl/38701
generic_textual HIGH https://go.dev/cl/38701
cvssv3.1 8.1 https://go.dev/issue/19767
generic_textual HIGH https://go.dev/issue/19767
cvssv3.1 8.1 https://godoc.org/golang.org/x/crypto/ssh
generic_textual HIGH https://godoc.org/golang.org/x/crypto/ssh
cvssv3.1 8.1 https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
generic_textual HIGH https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2017-3204
cvssv3 8.1 https://nvd.nist.gov/vuln/detail/CVE-2017-3204
cvssv3.1 8.1 https://nvd.nist.gov/vuln/detail/CVE-2017-3204
cvssv3.1 8.1 https://pkg.go.dev/vuln/GO-2020-0013
generic_textual HIGH https://pkg.go.dev/vuln/GO-2020-0013
cvssv3.1 8.1 https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
generic_textual HIGH https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
cvssv3.1 8.1 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
generic_textual HIGH https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-3204.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json
https://api.first.org/data/v1/epss?cve=CVE-2017-3204
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
https://bridge.grumpy-troll.org/2017/04/golang-ssh-security/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3204
https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
https://github.com/golang/go/issues/19767
https://go.dev/cl/340830
https://go.dev/cl/38701
https://go.dev/issue/19767
https://godoc.org/golang.org/x/crypto/ssh
https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
https://pkg.go.dev/vuln/GO-2020-0013
https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
http://www.securityfocus.com/bid/97481
1439748 https://bugzilla.redhat.com/show_bug.cgi?id=1439748
859655 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859655
cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:golang:crypto:*:*:*:*:*:*:*:*
CVE-2017-3204 https://nvd.nist.gov/vuln/detail/CVE-2017-3204
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3204.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://bridge.grumpy-troll.org/2017/04/golang-ssh-security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/golang/go/issues/19767
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://go.dev/cl/340830
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/cl/38701
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.dev/issue/19767
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://godoc.org/golang.org/x/crypto/ssh
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://go.googlesource.com/crypto/+/e4e2799dd7aab89f583e1d898300d96367750991
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3204
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3204
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-3204
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://pkg.go.dev/vuln/GO-2020-0013
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20170423080311/https://www.securityfocus.com/bid/97481
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3204
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.60475
EPSS Score 0.00227
Published At Dec. 17, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.