CVE-2022-41724
Last modified
CVE-2022-41724 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. EPSS estimates a 1.10% chance of exploitation in the next 30 days.
Description
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.19.6 |
| Golang | Go | 1.20.0 |
References
- https://go.dev/cl/468125Patch, Release Notes
- https://go.dev/issue/58001Issue Tracking, Patch, Vendor Advisory
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_EMailing List, Vendor Advisory
- https://pkg.go.dev/vuln/GO-2023-1570Vendor Advisory
- https://go.dev/cl/468125Patch, Release Notes
- https://go.dev/issue/58001Issue Tracking, Patch, Vendor Advisory
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_EMailing List, Vendor Advisory
- https://pkg.go.dev/vuln/GO-2023-1570Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-41724?
How severe is CVE-2022-41724?
How do I fix CVE-2022-41724?
Are you affected by CVE-2022-41724?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST