CVE-2024-9355
medium
Apache CVSS v3 Base Score
6.5
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
EPSS Score
0.1%
Exploitation probability in 30 days
Top 79% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Confidentiality
High
Integrity
High
Availability
Low
Published: October 1, 2024 (590 days ago)
Last Modified: March 18, 2026
Vendor: Apache
Source: MITRE
Vulnerability Report
Generated by CyberWatcher
Description
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
CWE
CWE-457Affected Products
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle SupportRed Hat Red Hat Enterprise Linux 8Red Hat Red Hat Enterprise Linux 9Red Hat Red Hat Enterprise Linux 9.4 Extended Update SupportRed Hat Satellite Client 6 for RHEL 10Red Hat Satellite Client 6 for RHEL 8Red Hat Satellite Client 6 for RHEL 9Red Hat Streams for Apache Kafka 2.9.0Red Hat NBDE Tang ServerRed Hat OpenShift Developer Tools and Services