OpenSSL: URI Name Constraint Bypass with IPv6 Zone ID
CVE-2024-45341 Published on January 28, 2025
Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Vulnerability Analysis
CVE-2024-45341 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Products Associated with CVE-2024-45341
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-45341 are published in these products:
Affected Versions
Go standard library crypto/x509:- Before 1.22.11 is affected.
- Version 1.23.0-0 and below 1.23.5 is affected.
- Version 1.24.0-0 and below 1.24.0-rc.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.