CVE-2014-7189

Name of the Vulnerable Software and Affected Versions Go versions 1.1 through 1.3.2

Description The issue allows man-in-the-middle attackers to spoof clients via unspecified vectors when SessionTicketsDisabled is enabled. This can occur when the server enables TLS client authentication using certificates and explicitly sets SessionTicketsDisabled to true in the tls.Config, allowing a malicious client to falsely assert ownership of any client certificate.

Recommendations For Go versions 1.1 through 1.3.2, update to version 1.3.2 or later to resolve the issue. As a temporary workaround, consider disabling TLS client authentication using certificates or setting SessionTicketsDisabled to false in the tls.Config to minimize the risk of exploitation.