CVE-2021-34558

Aliases:GO-2021-0243BIT-golang-2021-34558
Advisory lineage Upstream: 0 Downstream: 31
Modified
Published: 15 Jul 2021, 13:47
Last modified:04 Aug 2024, 00:12

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.92% LOW
1% probability -0.56%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

15 Jul 2021, 13:47
Published
Vulnerability first disclosed
04 Aug 2024, 00:12
Last Modified
Vulnerability information updated

Description

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • v2.0LOWScore: 2.6AV:N/AC:H/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.92% Percentile: 76%

Techniques & Countermeasures

  • CWE-295Improper Certificate Validation

    The product does not validate, or incorrectly validates, a certificate.

Affected Systems

  • fedoraprojectfedora

    33 | 34

  • golanggo

    < 1.15.14 | ≥ 1.16.0, < 1.16.6

  • Gostdlib

    ≥ 1.16.0-0, < 1.16.6

  • netappcloud_insights_telegraf

    na

  • netappstoragegrid

    na

  • netapptrident

    na

  • oracletimesten_in-memory_database

    < 21.1.1.1.0

References (19)