Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-29409

UNKNOWN
Published 2023-08-02T19:47:23.829Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-29409. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Go standard library

crypto/tls

Affected Versions:

0 1.20.0-0 1.21.0-0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-xc82-5m89-g4jv

Advisory Details

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-29409
WEB https://go.dev/cl/515257
WEB https://go.dev/issue/61460
WEB https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ
WEB https://pkg.go.dev/vuln/GO-2023-1987
WEB https://security.gentoo.org/glsa/202311-09
WEB https://security.netapp.com/advisory/ntap-20230831-0010

Advisory provided by GitHub Security Advisory Database. Published: August 2, 2023, Modified: November 25, 2023

References

https://go.dev/issue/61460
https://go.dev/cl/515257
https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ
https://pkg.go.dev/vuln/GO-2023-1987
https://security.netapp.com/advisory/ntap-20230831-0010/
https://security.gentoo.org/glsa/202311-09
Published: 2023-08-02T19:47:23.829Z
Last Modified: 2025-02-13T16:49:16.368Z
Copied to clipboard!