Vulnerability Report: GO-2023-1570

CVE-2022-41724
Affects: crypto/tls
Published: Feb 16, 2023
Modified: Jun 12, 2023

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

Affected Packages

Path

Versions

Symbols
crypto/tls

before go1.19.6, from go1.20.0-0 before go1.20.1
9 affected symbols

Aliases

CVE-2022-41724

References

https://golang.ir/issue/58001
https://golang.ir/cl/468125
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
https://vuln.go.dev/ID/GO-2023-1570.json

Credits

Marten Seemann

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL