ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing — GHSA-VC8P-8PXG-RFWG
GitHub · GitHub · GHSA-VC8P-8PXG-RFWG
ID
GHSA-VC8P-8PXG-RFWG
GHSA-VC8P-8PXG-RFWG
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.7
6.7
Summary
## Summary The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to `Int` values or allocating arrays. A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught `OutOfMemoryError`, potentially terminating…
Product
maven: org.connectbot.sshlib:sshlib
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.