data/reports/GO-2025-3373.yaml - vulndb - Git at Google

 id: GO-2025-3373
 modules:
     - module: std
       versions:
         - fixed: 1.22.11
         - introduced: 1.23.0-0
         - fixed: 1.23.5
         - introduced: 1.24.0-0
         - fixed: 1.24.0-rc.2
       vulnerable_at: 1.23.1
       packages:
         - package: crypto/x509
           symbols:
             - matchURIConstraint
           derived_symbols:
             - CertPool.AppendCertsFromPEM
             - Certificate.CheckCRLSignature
             - Certificate.CheckSignature
             - Certificate.CheckSignatureFrom
             - Certificate.CreateCRL
             - Certificate.Verify
             - Certificate.VerifyHostname
             - CertificateRequest.CheckSignature
             - CreateCertificate
             - CreateCertificateRequest
             - CreateRevocationList
             - DecryptPEMBlock
             - EncryptPEMBlock
             - HostnameError.Error
             - MarshalECPrivateKey
             - MarshalPKCS1PrivateKey
             - MarshalPKCS1PublicKey
             - MarshalPKCS8PrivateKey
             - MarshalPKIXPublicKey
             - ParseCRL
             - ParseCertificate
             - ParseCertificateRequest
             - ParseCertificates
             - ParseDERCRL
             - ParseECPrivateKey
             - ParsePKCS1PrivateKey
             - ParsePKCS1PublicKey
             - ParsePKCS8PrivateKey
             - ParsePKIXPublicKey
             - ParseRevocationList
             - RevocationList.CheckSignatureFrom
             - SetFallbackRoots
             - SystemCertPool
 summary: Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
 description: |-
     A certificate with a URI which has a IPv6 address with a zone ID may incorrectly
     satisfy a URI name constraint that applies to the certificate chain.

     Certificates containing URIs are not permitted in the web PKI, so this only
     affects users of private PKIs which make use of URIs.
 credits:
     - Juho Forsén of Mattermost
 references:
     - fix: https://go.dev/cl/643099
     - report: https://go.dev/issue/71156
     - web: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
     - web: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
 cve_metadata:
     id: CVE-2024-45341
     cwe: 'CWE-295: Improper Certificate Validation'
 source:
     id: go-security-team
     created: 2025-01-27T15:30:58.450345-05:00
 review_status: REVIEWED
	id: GO-2025-3373
	modules:
	- module: std
	versions:
	- fixed: 1.22.11
	- introduced: 1.23.0-0
	- fixed: 1.23.5
	- introduced: 1.24.0-0
	- fixed: 1.24.0-rc.2
	vulnerable_at: 1.23.1
	packages:
	- package: crypto/x509
	symbols:
	- matchURIConstraint
	derived_symbols:
	- CertPool.AppendCertsFromPEM
	- Certificate.CheckCRLSignature
	- Certificate.CheckSignature
	- Certificate.CheckSignatureFrom
	- Certificate.CreateCRL
	- Certificate.Verify
	- Certificate.VerifyHostname
	- CertificateRequest.CheckSignature
	- CreateCertificate
	- CreateCertificateRequest
	- CreateRevocationList
	- DecryptPEMBlock
	- EncryptPEMBlock
	- HostnameError.Error
	- MarshalECPrivateKey
	- MarshalPKCS1PrivateKey
	- MarshalPKCS1PublicKey
	- MarshalPKCS8PrivateKey
	- MarshalPKIXPublicKey
	- ParseCRL
	- ParseCertificate
	- ParseCertificateRequest
	- ParseCertificates
	- ParseDERCRL
	- ParseECPrivateKey
	- ParsePKCS1PrivateKey
	- ParsePKCS1PublicKey
	- ParsePKCS8PrivateKey
	- ParsePKIXPublicKey
	- ParseRevocationList
	- RevocationList.CheckSignatureFrom
	- SetFallbackRoots
	- SystemCertPool
	summary: Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
	description: \|-
	A certificate with a URI which has a IPv6 address with a zone ID may incorrectly
	satisfy a URI name constraint that applies to the certificate chain.

	Certificates containing URIs are not permitted in the web PKI, so this only
	affects users of private PKIs which make use of URIs.
	credits:
	- Juho Forsén of Mattermost
	references:
	- fix: https://go.dev/cl/643099
	- report: https://go.dev/issue/71156
	- web: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
	- web: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
	cve_metadata:
	id: CVE-2024-45341
	cwe: 'CWE-295: Improper Certificate Validation'
	source:
	id: go-security-team
	created: 2025-01-27T15:30:58.450345-05:00
	review_status: REVIEWED