Miggo Logo
Miggo Vulnerability Database
CVE-2024-41270

CVE-2024-41270: Gorush uses deprecated TLS versions

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-41270
GHSA ID
GHSA-p3pf-mff8-3h47
EPSS Score
0.16141%
CWE
CWE-327
Published
8/6/2024
Updated
8/7/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/appleboy/gorushgo< 1.18.51.18.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability description explicitly mentions RunHTTPServer as the affected function.
  2. The GitHub patch shows TLS configuration changes in server_normal.go, modifying MinVersion from TLS 1.0 to 1.2.
  3. CWE-327 aligns with using deprecated TLS versions as a risky cryptographic practice.
  4. The commit message confirms security enhancements focused on TLS version updates in this function.
  5. No other functions are mentioned in vulnerability reports or code changes related to TLS configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* *is*ov*r** in t** Run*TTPS*rv*r *un*tion in *orus* v*.**.* *llows *tt**k*rs to int*r**pt *n* m*nipul*t* **t* *u* to us* o* **pr***t** TLS v*rsion.

Reasoning

*. T** vuln*r**ility **s*ription *xpli*itly m*ntions Run*TTPS*rv*r *s t** *****t** *un*tion. *. T** *it*u* p*t** s*ows TLS *on*i*ur*tion ***n**s in s*rv*r_norm*l.*o, mo*i*yin* MinV*rsion *rom TLS *.* to *.*. *. *W*-*** *li*ns wit* usin* **pr***t** TL