CVE-2024-24783

Name
CVE-2024-24783
Description
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/569339
security@golang.org https://go.dev/issue/65390
security@golang.org https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
security@golang.org https://pkg.go.dev/vuln/GO-2024-2598
security@golang.org https://security.netapp.com/advisory/ntap-20240329-0005/
security@golang.org http://www.openwall.com/lists/oss-security/2024/03/08/4

Match rules

CPE URI Source package Min version Max version
crypto/x509 >= 0 < 1.21.8
crypto/x509 >= 1.22.0-0 < 1.22.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status