Vulnerabilites related to Go standard library - crypto/x509
cve-2024-24783
Vulnerability from cvelistv5
Published
2024-03-05 22:22
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/x509 |
Version: 0 ≤ Version: 1.22.0-0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-24783", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-03-06T18:26:26.163411Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-476", description: "CWE-476 NULL Pointer Dereference", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-05T16:57:46.952Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:28:12.597Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://go.dev/issue/65390", }, { tags: [ "x_transferred", ], url: "https://go.dev/cl/569339", }, { tags: [ "x_transferred", ], url: "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg", }, { tags: [ "x_transferred", ], url: "https://pkg.go.dev/vuln/GO-2024-2598", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240329-0005/", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/08/4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "crypto/x509", product: "crypto/x509", programRoutines: [ { name: "Certificate.buildChains", }, { name: "Certificate.Verify", }, ], vendor: "Go standard library", versions: [ { lessThan: "1.21.8", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.22.1", status: "affected", version: "1.22.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "John Howard (Google)", }, ], descriptions: [ { lang: "en", value: "Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-476: NULL Pointer Dereference", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T17:09:42.854Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/issue/65390", }, { url: "https://go.dev/cl/569339", }, { url: "https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg", }, { url: "https://pkg.go.dev/vuln/GO-2024-2598", }, { url: "https://security.netapp.com/advisory/ntap-20240329-0005/", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/08/4", }, ], title: "Verify panics on certificates with an unknown public key algorithm in crypto/x509", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2024-24783", datePublished: "2024-03-05T22:22:26.647Z", dateReserved: "2024-01-30T16:05:14.757Z", dateUpdated: "2025-02-13T17:40:23.803Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-22865
Vulnerability from cvelistv5
Published
2025-01-28 01:03
Modified
2025-01-30 19:14
Severity ?
EPSS score ?
Summary
Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/x509 |
Version: 1.24.0-0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2025-22865", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-28T14:58:11.060442Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-28T15:16:25.641Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "crypto/x509", product: "crypto/x509", programRoutines: [ { name: "ParsePKCS1PrivateKey", }, ], vendor: "Go standard library", versions: [ { lessThan: "1.24.0-rc.2", status: "affected", version: "1.24.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Philippe Antoine (Catena cyber)", }, ], descriptions: [ { lang: "en", value: "Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-228: Improper Handling of Syntactically Invalid Structure", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-30T19:14:21.959Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/643098", }, { url: "https://go.dev/issue/71216", }, { url: "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", }, { url: "https://pkg.go.dev/vuln/GO-2025-3421", }, ], title: "ParsePKCS1PrivateKey panic with partial keys in crypto/x509", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2025-22865", datePublished: "2025-01-28T01:03:25.121Z", dateReserved: "2025-01-08T19:11:42.833Z", dateUpdated: "2025-01-30T19:14:21.959Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-45341
Vulnerability from cvelistv5
Published
2025-01-28 01:03
Modified
2025-02-21 18:03
Severity ?
EPSS score ?
Summary
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/x509 |
Version: 0 ≤ Version: 1.23.0-0 ≤ Version: 1.24.0-0 ≤ |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-45341", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-28T14:57:00.467281Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-28T15:16:58.278Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2025-02-21T18:03:33.296Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.netapp.com/advisory/ntap-20250221-0004/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://pkg.go.dev", defaultStatus: "unaffected", packageName: "crypto/x509", product: "crypto/x509", programRoutines: [ { name: "matchURIConstraint", }, { name: "CertPool.AppendCertsFromPEM", }, { name: "Certificate.CheckCRLSignature", }, { name: "Certificate.CheckSignature", }, { name: "Certificate.CheckSignatureFrom", }, { name: "Certificate.CreateCRL", }, { name: "Certificate.Verify", }, { name: "Certificate.VerifyHostname", }, { name: "CertificateRequest.CheckSignature", }, { name: "CreateCertificate", }, { name: "CreateCertificateRequest", }, { name: "CreateRevocationList", }, { name: "DecryptPEMBlock", }, { name: "EncryptPEMBlock", }, { name: "HostnameError.Error", }, { name: "MarshalECPrivateKey", }, { name: "MarshalPKCS1PrivateKey", }, { name: "MarshalPKCS1PublicKey", }, { name: "MarshalPKCS8PrivateKey", }, { name: "MarshalPKIXPublicKey", }, { name: "ParseCRL", }, { name: "ParseCertificate", }, { name: "ParseCertificateRequest", }, { name: "ParseCertificates", }, { name: "ParseDERCRL", }, { name: "ParseECPrivateKey", }, { name: "ParsePKCS1PrivateKey", }, { name: "ParsePKCS1PublicKey", }, { name: "ParsePKCS8PrivateKey", }, { name: "ParsePKIXPublicKey", }, { name: "ParseRevocationList", }, { name: "RevocationList.CheckSignatureFrom", }, { name: "SetFallbackRoots", }, { name: "SystemCertPool", }, ], vendor: "Go standard library", versions: [ { lessThan: "1.22.11", status: "affected", version: "0", versionType: "semver", }, { lessThan: "1.23.5", status: "affected", version: "1.23.0-0", versionType: "semver", }, { lessThan: "1.24.0-rc.2", status: "affected", version: "1.24.0-0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", value: "Juho Forsén of Mattermost", }, ], descriptions: [ { lang: "en", value: "A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-295: Improper Certificate Validation", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-30T19:14:21.421Z", orgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", shortName: "Go", }, references: [ { url: "https://go.dev/cl/643099", }, { url: "https://go.dev/issue/71156", }, { url: "https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ", }, { url: "https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ", }, { url: "https://pkg.go.dev/vuln/GO-2025-3373", }, ], title: "Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509", }, }, cveMetadata: { assignerOrgId: "1bb62c36-49e3-4200-9d77-64a1400537cc", assignerShortName: "Go", cveId: "CVE-2024-45341", datePublished: "2025-01-28T01:03:24.353Z", dateReserved: "2024-08-27T19:41:58.556Z", dateUpdated: "2025-02-21T18:03:33.296Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }