GO-2024-3167
- Source
- https://pkg.go.dev/vuln/GO-2024-3167
- Import Source
- https://vuln.go.dev/ID/GO-2024-3167.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2024-3167
- Aliases
-
- CVE-2024-9355
- GHSA-3h3x-2hwv-hr52
- Published
- 2024-10-09T20:29:23Z
- Modified
- 2024-11-05T22:52:33Z
- Summary
- Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl
- Details
-
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2024-3167" }- References
Affected packages
Go / github.com/golang-fips/openssl
Package
- Name
- github.com/golang-fips/openssl
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/golang-fips/openssl