blob: 0b756d9114a8f35919eb540a8be019ba854793f5 [file] [log] [blame]
id: GO-2021-0154
modules:
- module: std
versions:
- introduced: 1.1.0-0
fixed: 1.3.2
vulnerable_at: 1.3.1
packages:
- package: crypto/tls
symbols:
- checkForResumption
- decryptTicket
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls
description: |-
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then
a malicious client can falsely assert ownership of any client certificate it
wishes.
published: 2022-05-25T21:11:41Z
cves:
- CVE-2014-7189
credits:
- Go Team
references:
- fix: https://go.dev/cl/148080043
- fix: https://go.googlesource.com/go/+/commit/64df53ed7f
- report: https://go.dev/issue/53085
- web: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
review_status: REVIEWED