A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
References
Configurations
No configuration.
History
05 Nov 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
30 Oct 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Oct 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Oct 2024, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Oct 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References |
|
01 Oct 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-01 19:15
Updated : 2024-11-05 08:15
NVD link : CVE-2024-9355
Mitre link : CVE-2024-9355
CVE.ORG link : CVE-2024-9355
JSON object : View
Products Affected
No product.
CWE
CWE-457
Use of Uninitialized Variable