Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-8932

A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.9, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts confidentiality (data exposure), for affected systems. Impacting 4 products from golang, from novell, from fedoraproject and 1 other, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2017, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2017-07-06T16:29:00.420

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-682

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	≤ 1.7.5	Yes
Application	golang	go	1.8	Yes
Application	golang	go	1.8.1	Yes
Application	novell	suse_package_hub_for_suse_linux_enterprise	12	Yes
Operating System	fedoraproject	fedora	25	Yes
Operating System	opensuse	leap	42.2	Yes

References

http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html Patch, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html Patch, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2017:1859 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=1455191 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/golang/go/issues/20040 Third Party Advisory ([email protected])
https://go-review.googlesource.com/c/41070/ Vendor Advisory ([email protected])
https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/ ([email protected])
http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:1859 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=1455191 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/golang/go/issues/20040 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://go-review.googlesource.com/c/41070/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/ (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For golang's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.