CVE-2022-30629

low

Description

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

References

https://pkg.go.dev/vuln/GO-2022-0531

https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ

https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5

https://go.dev/cl/405994

Details

Source: Mitre, NVD

Published: 2022-08-10

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N