CVE-2021-34558

CWE-295Improper Certificate ValidationCWE-20Improper Input Validation8 documents7 sources
Severity
6.5MEDIUM
EPSS
0.9%
top 24.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Golang GOOracle Timesten In-memory DatabaseFedoraproject Fedora
Timeline
PublishedJul 15
Latest updateMay 24

Description

The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

Gostdlib1.16.0-01.16.6+1
NVDgolang/go1.16.01.16.6+1
Debiangolang-1.15< 1.15.9-6

Also affects: Fedora 33, 34

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-hqrm-74p3-w275: The crypto/tls package of Go through 12022-05-24
OSV
Panic on certain certificates in crypto/tls2022-02-17
CVEList
CVE-2021-34558: The crypto/tls package of Go through 12021-07-15
OSV
CVE-2021-34558: The crypto/tls package of Go through 12021-07-15

📋Vendor Advisories

3
Red Hat
golang: crypto/tls: certificate of wrong type is causing TLS client to panic2021-07-13
Microsoft
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange allowing a malici2021-07-13
Debian
CVE-2021-34558: golang-1.15 - The crypto/tls package of Go through 1.16.5 does not properly assert that the ty...2021