CVE-2024-45341

Name
CVE-2024-45341
Description
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security@golang.org https://go.dev/cl/643099
security@golang.org https://go.dev/issue/71156
security@golang.org https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
security@golang.org https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
security@golang.org https://pkg.go.dev/vuln/GO-2025-3373
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250221-0004/

Match rules

CPE URI Source package Min version Max version
crypto/x509 >= 0 < 1.22.11
crypto/x509 >= 1.23.0-0 < 1.23.5
crypto/x509 >= 1.24.0-0 < 1.24.0-rc.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go edge-community 1.23.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed
go 3.21-community 1.23.5-r0 Sören Tempel <soeren+alpine@soeren-tempel.net> fixed