CVE-2014-7189

EPSS 0.29%

Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls

發布日:2022/5/25修改日:2024/6/3

描述

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

受影響套件(1)

Go/stdlib>= 1.1.0-0, < 1.3.2

參考連結(3)

PATCHhttps://go.dev/cl/148080043
REPORThttps://go.dev/issue/53085
WEBhttps://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ