Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41724

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Published

2023-02-28T18:15:10.043

Last Modified

2024-11-21T07:23:44.603

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
CWE-400

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.19.6	Yes
Application	golang	go	1.20.0	Yes
Application	golang	go	1.20.0	Yes
Application	golang	go	1.20.0	Yes
Application	golang	go	1.20.0	Yes

References

https://go.dev/cl/468125 Patch, Release Notes ([email protected])
https://go.dev/issue/58001 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E Mailing List, Vendor Advisory ([email protected])
https://pkg.go.dev/vuln/GO-2023-1570 Vendor Advisory ([email protected])
https://security.gentoo.org/glsa/202311-09 ([email protected])
https://go.dev/cl/468125 Patch, Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://go.dev/issue/58001 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://pkg.go.dev/vuln/GO-2023-1570 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202311-09 (af854a3a-2127-422b-91ae-364da2661108)