CVE-2024-45341
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
6.1
MEDIUM
CVSS 3.1
EPSS 0.12%
Description
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
How to fix CVE-2024-45341
To remediate CVE-2024-45341, upgrade the affected package to a fixed version below.
- —upgrade to 1.22.11 or later
- —no fix listed
- —no fix listed
- —upgrade to 1.24~rc2-1 or later
- —upgrade to 1.22.11 or later
Is CVE-2024-45341 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 1.22.11, >= 1.23.0-0, < 1.23.5, >= 1.24.0-0, < 1.24.0
- from 0
- from 0
- from 0, < 1.24~rc2-1
- from 0, < 1.22.11, >= 1.23.0-0, < 1.23.5, >= 1.24.0-0, < 1.24.0-rc.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |