CVE-2022-23806 - Unchecked Return Value

Severity: None2025-03-11

Security Advisories

Abstract

Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.

The Oxygen products incorporate gosu as a third-party libraries. This advisory was opened to address the potential impact of this third-party libraries vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderNone Oxygen Content Fusion 7.1 build 2024100818

Mitigation

None

Detail

CVE-2022-23806

Severity: Critical

CVSS Score: 9.1

The gosu third-party libraries used by Oxygen XML products are an affected version mentioned in CVE-2022-23806 vulnerability description. However, gosu used in Oxygen Content Fusion does not use crypto/elliptic. For that reason Oxygen products are not affected by this vulnerability.

Starting with Oxygen Content Fusion v7.1 build 2024100818 gosu library was removed.

List of Security Advisories