Security [Medium] CVE-2024-45341 #923

upbound-bot · 2025-02-03T08:18:10Z

Vulnerability Details

ID: CVE-2024-45341
Severity: Medium
Affected Provider Version: ['v1.5.3', 'v1.9.2', 'v1.10.2', 'v1.7.2', 'v1.11.0', 'v1.8.2', 'v1.6.3']
Package: stdlib
Package Version: go1.22.7
Type: go-module
Description: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
Fix State: fixed
Fix Versions: 1.22.11, 1.23.5, 1.24.0-rc2
Artifact Paths: /usr/local/bin/provider
More Info: https://go.dev/cl/643099, https://go.dev/issue/71156, https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ, https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ, https://pkg.go.dev/vuln/GO-2025-3373

This vulnerability was detected during the periodic CVE scan.

sergenyalcin added the vulnerability label Feb 5, 2025