CVE-2022-30629
Public on 2022-08-10
Modified on 2023-01-27
Description
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | go-rpm-macros | 2022-10-17 | ALAS2-2022-1863 | Fixed |
| Amazon Linux 1 | golang | 2022-09-15 | ALAS-2022-1635 | Fixed |
| Amazon Linux 2 - Core | golang | 2022-09-15 | ALAS2-2022-1846 | Fixed |
| Amazon Linux 2023 | golang | 2023-02-17 | ALAS2023-2023-048 | Fixed |
| Amazon Linux 2023 | golang-github-cpuguy83-md2man | 2023-02-17 | ALAS2023-2023-047 | Fixed |
| Amazon Linux 2 - Core | golang-github-godbus-dbus | 2022-10-17 | ALAS2-2022-1858 | Fixed |
| Amazon Linux 2 - Core | golang-github-gorilla-context | 2022-10-17 | ALAS2-2022-1859 | Fixed |
| Amazon Linux 2 - Core | golang-github-gorilla-mux | 2022-10-17 | ALAS2-2022-1860 | Fixed |
| Amazon Linux 2 - Core | golang-github-kr-pty | 2022-10-17 | ALAS2-2022-1864 | Fixed |
| Amazon Linux 2 - Core | golang-github-syndtr-gocapability | 2022-10-17 | ALAS2-2022-1865 | Fixed |
| Amazon Linux 2 - Core | golang-googlecode-net | 2022-10-17 | ALAS2-2022-1861 | Fixed |
| Amazon Linux 2 - Core | golang-googlecode-sqlite | 2022-10-17 | ALAS2-2022-1862 | Fixed |
| Amazon Linux 2 - Core | golist | 2022-09-15 | ALAS2-2022-1847 | Fixed |
| Amazon Linux 2023 | golist | 2023-02-17 | ALAS2023-2023-046 | Fixed |
| Amazon Linux 2 - Docker Extra | runc | 2022-09-30 | ALAS2DOCKER-2022-020 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |