CVE-2024-24790 - OpenCVE

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/06/04/1	Mailing List Third Party Advisory
https://go.dev/cl/590316	Patch
https://go.dev/issue/67680	Issue Tracking
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ	Release Notes
https://pkg.go.dev/vuln/GO-2024-2887	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Go

Published: 2024-06-05T15:13:50.527Z

Updated: 2024-06-05T15:13:50.527Z

Reserved: 2024-01-30T16:05:14.758Z

Link: CVE-2024-24790

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-05T16:15:10.560

Modified: 2024-06-18T17:59:12.547

Link: CVE-2024-24790

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A191F39-17BE-4051-A445-E60525659377", "versionEndExcluding": "1.21.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B85AD31-1004-48F3-9A80-7CF48CD0CEA7", "versionEndExcluding": "1.22.4", "versionStartIncluding": "1.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms."}, {"lang": "es", "value": "Los diversos m\u00e9todos Is (IsPrivate, IsLoopback, etc.) no funcionaron como se esperaba para las direcciones IPv6 asignadas a IPv4, devolviendo falso para direcciones que devolver\u00edan verdadero en sus formas IPv4 tradicionales."}], "id": "CVE-2024-24790", "lastModified": "2024-06-18T17:59:12.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-05T16:15:10.560", "references": [{"source": "security@golang.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1"}, {"source": "security@golang.org", "tags": ["Patch"], "url": "https://go.dev/cl/590316"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/67680"}, {"source": "security@golang.org", "tags": ["Release Notes"], "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2024-2887"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}