fkie_cve-2024-24789
Vulnerability from fkie_nvd
Published
2024-06-05 16:15
Modified
2025-01-31 15:15
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
References
security@golang.orghttp://www.openwall.com/lists/oss-security/2024/06/04/1Mailing List
security@golang.orghttps://go.dev/cl/585397Patch
security@golang.orghttps://go.dev/issue/66869Issue Tracking, Patch
security@golang.orghttps://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJRelease Notes
security@golang.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
security@golang.orghttps://pkg.go.dev/vuln/GO-2024-2888Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/06/04/1Mailing List
af854a3a-2127-422b-91ae-364da2661108https://go.dev/cl/585397Patch
af854a3a-2127-422b-91ae-364da2661108https://go.dev/issue/66869Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
af854a3a-2127-422b-91ae-364da2661108https://pkg.go.dev/vuln/GO-2024-2888Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250131-0008/
Impacted products
Vendor Product Version
golang go *
golang go *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A191F39-17BE-4051-A445-E60525659377",
              "versionEndExcluding": "1.21.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B85AD31-1004-48F3-9A80-7CF48CD0CEA7",
              "versionEndExcluding": "1.22.4",
              "versionStartIncluding": "1.22.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The archive/zip package\u0027s handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors."
    },
    {
      "lang": "es",
      "value": "El manejo que hace el paquete archive/zip de ciertos tipos de archivos zip no v\u00e1lidos difiere del comportamiento de la mayor\u00eda de las implementaciones zip. Esta desalineaci\u00f3n podr\u00eda aprovecharse para crear un archivo zip con contenidos que var\u00edan seg\u00fan la implementaci\u00f3n que lea el archivo. El paquete archive/zip ahora rechaza los archivos que contienen estos errores."
    }
  ],
  "id": "CVE-2024-24789",
  "lastModified": "2025-01-31T15:15:12.740",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-05T16:15:10.470",
  "references": [
    {
      "source": "security@golang.org",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1"
    },
    {
      "source": "security@golang.org",
      "tags": [
        "Patch"
      ],
      "url": "https://go.dev/cl/585397"
    },
    {
      "source": "security@golang.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://go.dev/issue/66869"
    },
    {
      "source": "security@golang.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ"
    },
    {
      "source": "security@golang.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/"
    },
    {
      "source": "security@golang.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/vuln/GO-2024-2888"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://go.dev/cl/585397"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://go.dev/issue/66869"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pkg.go.dev/vuln/GO-2024-2888"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20250131-0008/"
    }
  ],
  "sourceIdentifier": "security@golang.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.