CVE-2024-24783

Summary

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Affected Software

VendorProductVersion RangeStatus
Go standard librarycrypto/x5090 < 1.21.8affected
Go standard librarycrypto/x5091.22.0-0 < 1.22.1affected

Weaknesses

  • CWE-476: NULL Pointer Dereference

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References