CVE-2024-45341

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

28/01/2025

Last modified:

15/04/2026

Description

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 6.10 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

Base Score 3.x

6.10

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://go.dev/cl/643099
https://go.dev/issue/71156
https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/bk9LAa-lCgAJ
https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/G461hA6lCgAJ
https://pkg.go.dev/vuln/GO-2025-3373
https://security.netapp.com/advisory/ntap-20250221-0004/