Vulnerability Report: GO-2024-3167
- CVE-2024-9355, GHSA-3h3x-2hwv-hr52
- Affects: github.com/golang-fips/openssl
- Published: Oct 09, 2024
- Modified: Nov 05, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-3h3x-2hwv-hr52.
Affected Modules
-
PathGo Versions
-
all versions, no known fixed
Aliases
References
- https://github.com/advisories/GHSA-3h3x-2hwv-hr52
- https://github.com/golang-fips/openssl/pull/198
- https://github.com/github/advisory-database/pull/4950
- https://vuln.go.dev/ID/GO-2024-3167.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.