CVE-2024-9355

{"id": "CVE-2024-9355", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 1.0}]}, "published": "2024-10-01T19:15:09.793", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:7502", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:7550", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8327", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8678", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8847", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-9355", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-457"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Golang FIPS OpenSSL. Esta falla permite que un usuario malintencionado haga que se devuelva aleatoriamente una variable de longitud de b\u00fafer no inicializada con un b\u00fafer puesto a cero en modo FIPS. Tambi\u00e9n es posible forzar una coincidencia de falso positivo entre hashes no iguales al comparar una suma hmac calculada confiable con una suma de entrada no confiable si un atacante puede enviar un b\u00fafer puesto a cero en lugar de una suma calculada previamente. Tambi\u00e9n es posible forzar que una clave derivada sea todo ceros en lugar de un valor impredecible. Esto puede tener implicaciones posteriores para la pila TLS de Go."}], "lastModified": "2024-11-05T08:15:04.413", "sourceIdentifier": "secalert@redhat.com"}