CVE-2022-41724
N/A
N/A
Summary
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Go standard library | crypto/tls | 0 < 1.19.6 | affected |
| Go standard library | crypto/tls | 1.20.0-0 < 1.20.1 | affected |
Weaknesses
- CWE-400: Uncontrolled Resource Consumption
ADP Enrichment
CVE Program Container
Additional References
- https://go.dev/issue/58001
- https://go.dev/cl/468125
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
- https://pkg.go.dev/vuln/GO-2023-1570
- https://security.gentoo.org/glsa/202311-09
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://go.dev/issue/58001
- https://go.dev/cl/468125
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
- https://pkg.go.dev/vuln/GO-2023-1570
- https://security.gentoo.org/glsa/202311-09
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.