1. Home
  2. Security Advisories
  3. Go
  4. GO-2023-1570

[GO-2023-1570] Panic on large handshake records in crypto/tls

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages Vulnerabilities

Large handshake records may cause panics in crypto/tls.

Both clients and servers may send large TLS handshake records which cause
servers and clients, respectively, to panic when attempting to construct
responses.

This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
session resumption (by setting Config.ClientSessionCache to a non-nil value),
and TLS 1.3 servers which request client certificates (by setting
Config.ClientAuth >= RequestClientCert).

Package Affected Version
pkg:golang/crypto/tls >= 1.20.0, < 1.19.6
pkg:golang/crypto/tls >= 1.20.0, < 1.20.1
Package Fixed Version
pkg:golang/crypto/tls = 1.19.6
pkg:golang/crypto/tls = 1.20.1
ID
GO-2023-1570
Severity
high
Severity from
CVE-2022-41724
URL
https://pkg.go.dev/vuln/GO-2023-1570
Published
2023-02-16T21:12:45
(19 months ago)
Modified
2024-07-17T19:54:18
(2 months ago)
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Fixed pkg:golang/crypto/tls crypto tls = 1.19.6
Affected pkg:golang/crypto/tls crypto tls >= 1.20.0 < 1.19.6
Fixed pkg:golang/crypto/tls crypto tls = 1.20.1
Affected pkg:golang/crypto/tls crypto tls >= 1.20.0 < 1.20.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date