Vulnerability Report: GO-2021-0154

CVE-2014-7189
Affects: crypto/tls
Published: May 25, 2022
Modified: Jun 12, 2023

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

Affected Packages

Path

Versions

Symbols
crypto/tls

from go1.1.0-0 before go1.3.2

all symbols

Aliases

CVE-2014-7189

References

https://go.dev/cl/148080043
https://go.googlesource.com/go/+/commit/64df53ed7f
https://go.dev/issue/53085
https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
https://vuln.go.dev/ID/GO-2021-0154.json

Credits

Go Team

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL