Skip to content

Instantly share code, notes, and snippets.

@nyxfqq
Last active July 31, 2024 03:35
Show Gist options
  • Save nyxfqq/cfae38fada582a0f576d154be1aeb1fc to your computer and use it in GitHub Desktop.
Save nyxfqq/cfae38fada582a0f576d154be1aeb1fc to your computer and use it in GitHub Desktop.
CVE-2024-41270
[Suggested description]
Gorush v1.18.4 was discovered to use a deprecated version of TLS.
In the RunHTTPServer function within the server_normal.go file
of the appleboy/gorush/router package, our server currently supports TLS 1.0 and TLS 1.1.
Impact:
Continuing to support TLS 1.0 and TLS 1.1 exposes our
application to potential security risks, including but not limited to:
Vulnerabilities: TLS 1.0 and TLS 1.1 have known weaknesses that could be exploited by attackers, leading to data breaches or other security incidents.
Interception: The outdated protocols may allow for man-in-the-middle attacks, enabling adversaries to intercept and manipulate data in transit.
Compliance Issues: Supporting these outdated protocols may violate industry standards and best practices, potentially leading to compliance penalties or legal repercussions.
------------------------------------------
[VulnerabilityType Other]
CWE-327
------------------------------------------
[Vendor of Product]
https://github.com/appleboy/gorush https://opencollective.com/gorush
------------------------------------------
[Affected Product Code Base]
gorush - <=1,18,4
------------------------------------------
[Affected Component]
http service
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
After configuring autotls to false, the HTTP service used thereafter will automatically support a minimum version of tls1.0
------------------------------------------
[Discoverer]
Bingyu Li
------------------------------------------
[Reference]
http://gorush.com
https://github.com/appleboy/gorush
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment