#VU91159 Input validation error in Go programming language - CVE-2024-24789

Cybersecurity Help s.r.o.

Published: 2024-06-05

Vulnerability identifier: #VU91159

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-24789

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to insufficient validation of user-supplied input in archive/zip when handling zip archives. A remote attacker can create a zip file with content that will vary depending on the implementation reading the file.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Go programming language: 1.21 rc1 - 1.22.3

External links
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
https://github.com/golang/go/issues/66869

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for container-tools:an8 module

Anolis OS update for grafana

Anolis OS update for golang

Anolis OS update for go-toolset:an8 module

Multiple vulnerabilities in IBM Concert Software

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Multiple vulnerabilities in IBM Spectrum Protect Plus

Ubuntu update for golang-1.18

Fedora 42 update for doctl

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for Golang Go