Certificate Misconfiguration in Private PKIs by Go Programming Language
CVE-2024-45341

6.1MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 28 January 2025

Badges

📰 News Worthy

What is CVE-2024-45341?

A certificate misconfiguration issue has been identified in the Go programming language, where a certificate with a URI containing an IPv6 address with a zone ID may improperly satisfy a URI name constraint related to the certificate chain. This flaw primarily affects users operating within private PKIs that utilize certificates with URIs, as such constructions are not typically allowed within the public Key Infrastructure (PKI).

Affected Version(s)

crypto/x509 0 < 1.22.11

crypto/x509 1.23.0-0 < 1.23.5

crypto/x509 1.24.0-0 < 1.24.0-rc.2

News Articles

KrakenD

CVE-2024-45336 CVE-2024-45341

KrakenD CE v2.9 released with improved sequential proxy and security

Discover the latest KrakenD updates, including enhanced sequential proxies, YAML encoding, offline linter capabilities, Lua header management, and critical security fixes

References

https://go.dev/cl/643099

https://go.dev/issue/71156

https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G4...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 28, 2025
📰
First article discovered by KrakenD
Jan 20, 2025
Vulnerability Reserved
Aug 27, 2024

Credit

Juho Forsén of Mattermost

Go Standard Library