PT-2024-2139 · Debian+10 · Debian+10

John Howard

Published

2024-03-05

Updated

2025-06-27

CVE-2024-24783

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions crypto/tls versions (affected versions not specified) golang (affected versions not specified)

Description The issue arises when verifying a certificate chain that contains a certificate with an unknown public key algorithm, causing Certificate.Verify to panic. This affects all crypto/tls clients and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior for TLS servers is to not verify client certificates. There is also a mention of a vulnerability in the golang package of the Debian GNU/Linux operating system related to insufficient exception handling, which can be exploited by a remote attacker to cause a denial of service (DoS).

Recommendations For crypto/tls, consider disabling the Certificate.Verify function until a patch is available to prevent panic when encountering unknown public key algorithms. For golang, restrict the use of the vulnerable package to minimize the risk of exploitation until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-388CWE-476

Related Identifiers

ALSA-2024:2562

ALSA-2024:2724

ALSA-2024:3259

ALSA-2024:3346

ALSA-2024:5258

ALSA-2024:6186

ALSA-2024:6187

ALSA-2024:6188

ALSA-2024:6189

ALSA-2024:6194

ALSA-2024:6195

ALSA-2024:6969

ALT-PU-2024-11781

ALT-PU-2024-11872

ALT-PU-2024-13971

ALT-PU-2024-3504

ALT-PU-2024-3506

ALT-PU-2024-4847

AZL-37320

AZL-37522

AZL-78968

BDU:2024-02048

BIT-GOLANG-2024-24783

CESA-2024_3259

CESA-2024_3346

CESA-2024_5258

CESA-2024_6969

CVE-2024-24783

GHSA-3Q2C-PVP5-3CQP

GO-2024-2598

INFSA-2024_2562

INFSA-2024_2724

INFSA-2024_3259

INFSA-2024_3346

INFSA-2024_5258

INFSA-2024_6186

INFSA-2024_6187

INFSA-2024_6188

INFSA-2024_6189

INFSA-2024_6194

INFSA-2024_6195

INFSA-2024_6969

OESA-2024-1306

OESA-2025-1184

OESA-2025-1683

OESA-2025-1690

OPENSUSE-SU-2024:13752-1

OPENSUSE-SU-2024:13756-1

OPENSUSE-SU-2024_0812-1

OPENSUSE-SU-2024_3089-1

OPENSUSE-SU-2024_3755-1

RHSA-2024:0045

RHSA-2024:2562

RHSA-2024:2724

RHSA-2024:3259

RHSA-2024:3346

RHSA-2024:3781

RHSA-2024:4023

RHSA-2024:4125

RHSA-2024:4893

RHSA-2024:5258

RHSA-2024:6186

RHSA-2024:6187

RHSA-2024:6188

RHSA-2024:6189

RHSA-2024:6194

RHSA-2024:6195

RHSA-2024:6969

RHSA-2024_2562

RHSA-2024_2724

RHSA-2024_3259

RHSA-2024_3346

RHSA-2024_5258

RHSA-2024_6186

RHSA-2024_6187

RHSA-2024_6188

RHSA-2024_6189

RHSA-2024_6194

RHSA-2024_6195

RHSA-2024_6969

RLSA-2024:2562

RLSA-2024:2724

RLSA-2024:3259

RLSA-2024:3346

RLSA-2024:5258

SUSE-SU-2024:0800-1

SUSE-SU-2024:0811-1

SUSE-SU-2024:0812-1

SUSE-SU-2024:0936-1

SUSE-SU-2024:3089-1

SUSE-SU-2024:3755-1

SUSE-SU-2024:3772-1

SUSE-SU-2024:3938-1

USN-6886-1

USN-7109-1

USN-7111-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-2139 · Debian+10 · Debian+10

CVE-2024-24783

Weakness Enumeration

Related Identifiers

Affected Products

References · 224