CVE-2024-24783

Public on 2024-03-05

Modified on 2024-03-12

Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Severity

Medium

CVSS v3 Base Score

5.9

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	golang			No Fix Planned
Amazon Linux 2 - Core	golang	2024-05-23	ALAS2-2024-2554	Fixed
Amazon Linux 2023	golang	2024-05-23	ALAS2023-2024-629	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD	CVSSv3	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2024-24783 Mitre: CVE-2024-24783