CVE-2024-9355

MEDIUM EPSS 21.4%
Published Oct 1, 20241y ago · Modified Jun 18, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Oct 1, 2024 1y ago
Last Modified Jun 18, 2026 1w ago

Description

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

CVSS Details

Base Score
6.5
Exploitability
1.0
Impact
5.5
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
21.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-457

References 14

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.