logo

Database

Security controls bypass or absence In stdlib

Description

Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.

If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2014-71892. NVD-2014-71893. OSV-GO-2021-01544. OSV-2014-71895. GCVE-2014-7189

References

1. https://go.dev/cl/1480800432. https://go.dev/issue/530853. https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.