CVE-2022-41724 — Uncontrolled Resource Consumption in Standard Library Crypto TLS

CWE-400 — Uncontrolled Resource Consumption13 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 94.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Crypto TLS Golang GO

Timeline

PublishedFeb 28

Latest updateNov 14

Description

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5go_standard_library/crypto_tls1.20.0-0 — 1.20.1+1

▶NVDgolang/go< 1.19.6+1

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

OSV

golang-1.17 vulnerabilities↗2024-11-14

▶

OSV

golang-1.18 vulnerabilities↗2024-11-14

▶

OSV

CVE-2022-41724: Large handshake records may cause panics in crypto/tls↗2023-02-28

▶

GHSA

GHSA-89mw-w342-mqrr: Large handshake records may cause panics in crypto/tls↗2023-02-28

▶

CVEList

Panic on large handshake records in crypto/tls↗2023-02-28

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2023-06-06

▶

Red Hat

golang: crypto/tls: large handshake records may cause panics↗2023-02-15

▶

Microsoft

Panic on large handshake records in crypto/tls↗2023-02-14

▶