CVE-2024-9355Use of Uninitialized Variable in Golang-fips Openssl

CWE-457Use of Uninitialized Variable7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 78.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Github.com Golang-fips OpensslMsrc Azl3 Golang 1.22.7-3 ON Azure Linux 3.0Msrc Azl3 Golang 1.22.9-1 ON Azure Linux 3.0+6 more
Timeline
PublishedOct 1
Latest updateOct 9

Description

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 1.0 | Impact: 5.5

Affected Packages9 packages

🔴Vulnerability Details

3
OSV
Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl2024-10-09
OSV
Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability2024-10-01
GHSA
Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability2024-10-01

📋Vendor Advisories

2
Microsoft
Golang-fips: golang fips zeroed buffer2024-10-08
Red Hat
golang-fips: Golang FIPS zeroed buffer2024-09-30

💬Community

1
Bugzilla
CVE-2024-9355 golang-fips: Golang FIPS zeroed buffer2024-09-30
CVE-2024-9355 — Use of Uninitialized Variable | cvebase