Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

UNKNOWN

Source

secalert@redhat.com

CVE-2024-9355 details

Published : Oct. 1, 2024, 7:15 p.m.
Last Modified : Oct. 1, 2024, 7:15 p.m.

Description

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

CVSS Score

1	2	3	4	5	6.5	7	8	9	10

Weakness

Weakness	Name	Description
CWE-457	Use of Uninitialized Variable	The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

CVSS Data

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

6.5

Exploitability Score

1.0

Impact Score

5.5

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

References

URL	Source
https://access.redhat.com/security/cve/CVE-2024-9355	secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2315719	secalert@redhat.com

This website uses the NVD API, but is not approved or certified by it.

CVE-2024-9355

Products

Source

Tags

CVE-2024-9355 details

Description

CVSS Score

Weakness

CVSS Data

Attack Vector

Attack Complexity

Privileges Required

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Base Score

Exploitability Score

Impact Score

Base Severity

References