blob: d52e1bba006df9bcbec59e3b8d8da657d68fade6 [file] [log] [blame]
id: GO-2021-0154
modules:
- module: std
versions:
- introduced: 1.1.0-0
fixed: 1.3.2
vulnerable_at: 1.3.1
packages:
- package: crypto/tls
symbols:
- checkForResumption
- decryptTicket
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle
attackers to spoof clients via unspecified vectors.
If the server enables TLS client authentication using certificates (this is
rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config,
then a malicious client can falsely assert ownership of any client
certificate it wishes.
published: 2022-05-25T21:11:41Z
cves:
- CVE-2014-7189
credits:
- Go Team
references:
- fix: https://go.dev/cl/148080043
- fix: https://go.googlesource.com/go/+/commit/64df53ed7f
- report: https://go.dev/issue/53085
- web: https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ