Vulnerability Report: GO-2021-0154

standard library
  • CVE-2014-7189
  • Affects: crypto/tls
  • Published: May 25, 2022
  • Modified: Jun 03, 2024

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

Affected Packages

  • Path
    Go Versions
    Symbols
  • crypto/tls
    from go1.1.0-0 before go1.3.2
    2 unexported affected symbols
    • checkForResumption
    • decryptTicket

Aliases

References

Credits

  • Go Team

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.