CVE-2022-23806 - Unchecked Return Value
Severity: None2025-03-11
Abstract
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen Content Fusion v7.0 and older | None | Oxygen Content Fusion 7.1 build 2024100818 |
Detail
CVE-2022-23806
Severity: Critical
CVSS Score: 9.1
The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2022-23806 vulnerability description. However, gosu used in Oxygen Content Fusion does not use crypto/elliptic. For that reason Oxygen products are not affected by this vulnerability.
Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.