CVE-2024-45341
published 2025-01-28CVE-2024-45341: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.46%
36.4th percentile
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24~rc2-1 (forky) | golang-1.24 1.24~rc2-1 (forky) |
| go_standard_library | crypto_x509 | < 1.22.11 | 1.22.11 |
| go_standard_library | crypto_x509 | >= 1.23.0-0 < 1.23.5 | 1.23.5 |
| go_standard_library | crypto_x509 | >= 1.24.0-0 < 1.24.0-rc.2 | 1.24.0-rc.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2025-06-18·CVSS 6.1
CVE-2024-45341 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy modul
Red Hat
golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
vendor_redhat·2025-01-17·CVSS 6.1
CVE-2024-45341 [MEDIUM] CWE-347 golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
A flaw was found in the crypto/x509 package of the Golang standard library. A certificate with a URI, which has a IPv6 address with a zone ID, may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI; this issue only affects users of private PKIs that make use of URIs.
Package: rhai-tech-preview/assisted-installer-agent-rhel8 (Assisted
Debian
CVE-2024-45341: golang-1.15 - A certificate with a URI which has a IPv6 address with a zone ID may incorrectly...
vendor_debian·2024·CVSS 6.1
CVE-2024-45341 [MEDIUM] CVE-2024-45341: golang-1.15 - A certificate with a URI which has a IPv6 address with a zone ID may incorrectly...
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Scope: local
bullseye: open
OSV
golang-1.22 vulnerabilities
osv·2025-06-18·CVSS 6.1
CVE-2024-45336 [MEDIUM] golang-1.22 vulnerabilities
golang-1.22 vulnerabilities
Kyle Seely discovered that the Go net/http module did not properly handle
sensitive headers during repeated redirects. An attacker could possibly
use this issue to obtain sensitive information. (CVE-2024-45336)
Juho Forsén discovered that the Go crypto/x509 module incorrectly handled
IPv6 addresses during URI parsing. An attacker could possibly use this
issue to bypass certificate URI constraints. (CVE-2024-45341)
It was discovered that the Go crypto module did not properly handle
variable time instructions under certain circumstances on 64-bit Power
(ppc64el) systems. An attacker could possibly use this issue to expose
sensitive information. (CVE-2025-22866)
It was discovered that the Go http/httpproxy module did not properly
handle IPv6 zone IDs during hos
OSV
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
osv·2025-01-28
CVE-2024-45341 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain.
Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
GHSA
GHSA-3f6r-qh9c-x6mm: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain
ghsa_unreviewed·2025-01-28
CVE-2024-45341 [MEDIUM] GHSA-3f6r-qh9c-x6mm: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
OSV
CVE-2024-45341: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain
osv·2025-01-28·CVSS 6.1
CVE-2024-45341 [MEDIUM] CVE-2024-45341: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
No detection rules found.
No public exploits indexed.
2025-01-28
Published