{"id":"GO-2021-0154","summary":"Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls","details":"When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors.\n\nIf the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.","aliases":["CVE-2014-7189"],"modified":"2024-06-03T20:51:31Z","published":"2022-05-25T21:11:41Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0154","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/148080043"},{"type":"REPORT","url":"https://go.dev/issue/53085"},{"type":"WEB","url":"https://groups.google.com/g/golang-nuts/c/eeOHNw_shwU/m/OHALUmroA5kJ"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.1.0-0"},{"fixed":"1.3.2"}]}],"ecosystem_specific":{"imports":[{"path":"crypto/tls","symbols":["checkForResumption","decryptTicket"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0154.json"}}],"schema_version":"1.7.3","credits":[{"name":"Go Team"}]}