Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-30629

Опубликовано: 02 июн. 2022
Источник: redhat
CVSS3: 3.1
EPSS Низкий

Описание

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Migration Toolkit for ContainerscpmaFix deferred
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-controller-rhel9Affected
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-must-gather-api-rhel8Affected
mirror registry for Red Hat OpenShiftmirror-registry-containerAffected
OpenShift Developer Tools and ServiceshelmAffected
OpenShift Developer Tools and ServicesodoAffected
OpenShift Pipelinesopenshift-pipelines-clientAffected
OpenShift Serverlessopenshift-serverless-1-eventing-kafka-channel-webhook-rhel8-containerFix deferred
OpenShift Service Mesh 2.0iorFix deferred
OpenShift Service Mesh 2.0kialiFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-331
https://bugzilla.redhat.com/show_bug.cgi?id=2092793golang: crypto/tls: session tickets lack random ticket_age_add

EPSS

Процентиль: 15%
0.00048
Низкий

3.1 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-30629

CVSS3: 3.1
ubuntu
почти 3 года назад

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

nvd логотип

CVE-2022-30629

CVSS3: 3.1
nvd
почти 3 года назад

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

msrc логотип

CVE-2022-30629

CVSS3: 3.1
msrc
почти 3 года назад

Описание отсутствует

debian логотип

CVE-2022-30629

CVSS3: 3.1
debian
почти 3 года назад

Non-random values for ticket_age_add in session tickets in crypto/tls ...

github логотип

GHSA-j55j-52j7-vq87

CVSS3: 7.5
github
почти 3 года назад

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

EPSS

Процентиль: 15%
0.00048
Низкий

3.1 Low

CVSS3

Уязвимость CVE-2022-30629