CVE-2024-24783

MEDIUM

TLS - Info Disclosure

Title source: llm

Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

References (6)

Core 6

Core References

Various Sources

https://pkg.go.dev/vuln/GO-2024-2598

Mailing List

https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

Various Sources

https://go.dev/cl/569339

Issue Tracking

https://go.dev/issue/65390

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240329-0005/

Mailing List

http://www.openwall.com/lists/oss-security/2024/03/08/4

Scores

CVSS v3 5.9

EPSS 0.0066

EPSS Percentile 46.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (2)

Go standard library/crypto/x509 < 1.21.8

Go standard library/crypto/x509 1.22.0-0 - 1.22.1

Published Mar 05, 2024

Tracked Since Feb 18, 2026