ticket_age_add in crypto/tls before Go 1.18.3 allows TLS session correlation
CVE-2022-30629 Published on August 10, 2022
Session tickets lack random ticket_age_add in crypto/tls
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
Vulnerability Analysis
CVE-2022-30629 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Products Associated with CVE-2022-30629
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-30629 are published in these products:
Affected Versions
Go standard library crypto/tls:- Before 1.17.11 is affected.
- Version 1.18.0-0 and below 1.18.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.