CVE-2024-24789 - OpenCVE

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/06/04/1	Mailing List
https://go.dev/cl/585397	Patch
https://go.dev/issue/66869	Issue Tracking Patch
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ	Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
https://pkg.go.dev/vuln/GO-2024-2888	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2024-06-05T15:13:51.938Z

Updated: 2024-06-05T15:13:51.938Z

Reserved: 2024-01-30T16:05:14.758Z

Link: CVE-2024-24789

JSON object: View

NVD Information

Status : Modified

Published: 2024-06-05T16:15:10.470

Modified: 2024-06-19T03:15:09.183

Link: CVE-2024-24789

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-24789", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2024-01-30T16:05:14.758Z", "datePublished": "2024-06-05T15:13:51.938Z", "dateUpdated": "2024-06-05T15:13:51.938Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-06-05T15:13:51.938Z"}, "title": "Mishandling of corrupt central directory record in archive/zip", "descriptions": [{"lang": "en", "value": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors."}], "affected": [{"vendor": "Go standard library", "product": "archive/zip", "collectionURL": "https://pkg.go.dev", "packageName": "archive/zip", "versions": [{"version": "0", "lessThan": "1.21.11", "status": "affected", "versionType": "semver"}, {"version": "1.22.0-0", "lessThan": "1.22.4", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "findSignatureInBlock"}, {"name": "NewReader"}, {"name": "OpenReader"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-390: Detection of Error Condition Without Action"}]}], "references": [{"url": "https://go.dev/cl/585397"}, {"url": "https://go.dev/issue/66869"}, {"url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2888"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/04/1"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/"}], "credits": [{"lang": "en", "value": "Yufan You (@ouuan)"}]}, "adp": [{"affected": [{"vendor": "golang", "product": "go", "cpes": ["cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.21.11", "versionType": "semver"}, {"version": "1.22.0", "status": "affected", "lessThan": "1.22.4", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T15:26:12.977985Z", "id": "CVE-2024-24789", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-13T16:20:49.160Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A191F39-17BE-4051-A445-E60525659377", "versionEndExcluding": "1.21.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B85AD31-1004-48F3-9A80-7CF48CD0CEA7", "versionEndExcluding": "1.22.4", "versionStartIncluding": "1.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors."}, {"lang": "es", "value": "El manejo que hace el paquete archive/zip de ciertos tipos de archivos zip no v\u00e1lidos difiere del comportamiento de la mayor\u00eda de las implementaciones zip. Esta desalineaci\u00f3n podr\u00eda aprovecharse para crear un archivo zip con contenidos que var\u00edan seg\u00fan la implementaci\u00f3n que lea el archivo. El paquete archive/zip ahora rechaza los archivos que contienen estos errores."}], "id": "CVE-2024-24789", "lastModified": "2024-06-19T03:15:09.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-05T16:15:10.470", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1"}, {"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/585397"}, {"source": "security@golang.org", "tags": ["Issue Tracking", "Patch"], "url": "https://go.dev/issue/66869"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ"}, {"source": "security@golang.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2024-2888"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}