Vulnerability Description
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.17.11 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/405994Patch
- https://go.dev/issue/52814ExploitIssue TrackingVendor Advisory
- https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5Mailing ListPatch
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJMailing ListVendor Advisory
- https://pkg.go.dev/vuln/GO-2022-0531Vendor Advisory
- https://go.dev/cl/405994Patch
- https://go.dev/issue/52814ExploitIssue TrackingVendor Advisory
- https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5Mailing ListPatch
- https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJMailing ListVendor Advisory
- https://pkg.go.dev/vuln/GO-2022-0531Vendor Advisory
FAQ
What is CVE-2022-30629?
CVE-2022-30629 is a vulnerability with a CVSS score of 3.1 (LOW). Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing...
How severe is CVE-2022-30629?
CVE-2022-30629 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-30629?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.