Vulnerability Report: GO-2021-0154
- CVE-2014-7189
- Affects: crypto/tls
- Published: May 25, 2022
- Modified: Jun 12, 2023
When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.
Affected Packages
-
PathVersionsSymbols
-
from go1.1.0-0 before go1.3.2all symbols
Aliases
References
- https://go.dev/cl/148080043
- https://go.googlesource.com/go/+/commit/64df53ed7f
- https://go.dev/issue/53085
- https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ
- https://vuln.go.dev/ID/GO-2021-0154.json
Credits
- Go Team
Feedback
See anything missing or incorrect?
Suggest an edit to this report.