Certificate Chain Verification Panics with Unknown Public Key Algorithm
CVE-2024-24783

5.9MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 5 March 2024

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2024-24783?

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Affected Version(s)

crypto/x509 0 < 1.21.8

crypto/x509 1.22.0-0 < 1.22.1

References

https://go.dev/issue/65390

https://go.dev/cl/569339

https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Jan 30, 2024

Credit

John Howard (Google)