CVE-2022-30629

Aliases:GO-2022-0531BIT-golang-2022-30629

Advisory lineage Upstream: 0 Downstream: 25

Downstream

DEBIAN-CVE-2022-30629 MGASA-2022-0231 OPENSUSE-SU-2024:12123-1 OPENSUSE-SU-2024:12124-1 RHSA-2022:5775 RHSA-2022:5799

Modified

Published: 09 Aug 2022, 20:17

Last modified:06 Mar 2026, 19:12

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

3.1 LOW

v3.1 (nvd)

EPSS Score

0.07% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

09 Aug 2022, 20:17

Published

Vulnerability first disclosed

06 Mar 2026, 19:12

Last Modified

Vulnerability information updated

Description

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

CVSS Metrics

v3.1•LOW•Score: 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.07%• Percentile: 22%

Techniques & Countermeasures

CWE-330•Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Affected Systems

go standard library•crypto/tls
< 1.17.11 | ≥ 1.18.0-0, < 1.18.3
golang•go
< 1.17.11 | ≥ 1.18.0, < 1.18.3
Go•stdlib
≥ 1.18.0-0, < 1.18.3