CVE-2022-41724
Panic on large handshake records in crypto/tls
7.5
HIGH
CVSS 3.1
EPSS 0.02%
Description
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
How to fix CVE-2022-41724
To remediate CVE-2022-41724, upgrade the affected package to a fixed version below.
- —upgrade to 1.19.6 or later
- —no fix listed
- —upgrade to 1.19.6-2 or later
- —upgrade to 1.19.6 or later
Is CVE-2022-41724 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.19.6, >= 1.20.0, < 1.20.1
- from 0
- from 0, < 1.19.6-2
- from 0, < 1.19.6, >= 1.20.0-0, < 1.20.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |