Multiple vulnerabilities in Microsoft Azure AMQP library for C
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-21646 CVE-2024-25110 |
| CWE-ID | CWE-190 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Azure AMQP library for C Universal components / Libraries / Programming Languages & Components |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU87934
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-21646
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow. A remote user can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAzure AMQP library for C: before 2024-01-01
CPE2.3 External linkshttps://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-j29m-p99g-7hpv
https://github.com/Azure/azure-uamqp-c/commit/12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU87933
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-25110
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the open_get_offered_capabilities() function. A remote attacker can trigger a use-after-free error and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsAzure AMQP library for C: before 2024-01-01
CPE2.3 External linkshttps://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v
https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
