Pluto TLS Session Integrity Vulnerability
CVE-2024-32973

4.8MEDIUM

Key Information:

Vendor: Plutolang
Status: Pluto
Vendor: CVE Published:; 1 May 2024

Summary

In specific versions of Pluto, an active network attacker can exploit a vulnerability by using a specially crafted certificate to manipulate the trust decisions made by the Pluto language interpreter during TLS sessions. This could lead to an unexpected reduction in transport integrity for communications, specifically affecting the HTTP library and socket.starttls functionalities. A fix has been implemented in version 0.9.3, and users are strongly recommended to upgrade as no workarounds are available.

Affected Version(s)

Pluto >= 0.9.0, < 0.9.3

References

https://github.com/PlutoLang/Pluto/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/PlutoLang/Pluto/pull/851

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2024
Vulnerability Reserved
Apr 22, 2024