[GO-2024-2598] Verify panics on certificates with an unknown public key algorithm in crypto/x509

Affected Packages 2

Fixed Packages 2

CVEs 1

Verifying a certificate chain which contains a certificate with an unknown
public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to
VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is
for TLS servers to not verify client certificates.

Package	Affected Version
pkg:golang/crypto/x509	>= 1.22.0, < 1.21.8
pkg:golang/crypto/x509	>= 1.22.0, < 1.22.1

Package	Fixed Version
pkg:golang/crypto/x509	= 1.21.8
pkg:golang/crypto/x509	= 1.22.1

ID

GO-2024-2598

URL

https://pkg.go.dev/vuln/GO-2024-2598

Published

2024-03-05T21:33:39
(6 months ago)

Modified

2024-07-17T19:54:18
(2 months ago)

Other Advisories

Type	Package URL	Namespace	Name / Product	Version
Fixed	pkg:golang/crypto/x509	crypto	x509	= 1.21.8
Affected	pkg:golang/crypto/x509	crypto	x509	>= 1.22.0 < 1.21.8
Fixed	pkg:golang/crypto/x509	crypto	x509	= 1.22.1
Affected	pkg:golang/crypto/x509	crypto	x509	>= 1.22.0 < 1.22.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date