All the vulnerabilites related to Go standard library - archive/zip
cve-2024-24789
Vulnerability from cvelistv5
Published
2024-06-05 15:13
Modified
2024-08-01 23:28
Severity ?
EPSS score ?
Summary
Mishandling of corrupt central directory record in archive/zip
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Go standard library | archive/zip |
Version: 0 ≤ Version: 1.22.0-0 ≤ |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "go", "vendor": "golang", "versions": [ { "lessThan": "1.21.11", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThan": "1.22.4", "status": "affected", "version": "1.22.0", "versionType": "semver" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-24789", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-06T15:26:12.977985Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-13T16:20:49.160Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:28:12.584Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://go.dev/cl/585397" }, { "tags": [ "x_transferred" ], "url": "https://go.dev/issue/66869" }, { "tags": [ "x_transferred" ], "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" }, { "tags": [ "x_transferred" ], "url": "https://pkg.go.dev/vuln/GO-2024-2888" }, { "tags": [ "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "packageName": "archive/zip", "product": "archive/zip", "programRoutines": [ { "name": "findSignatureInBlock" }, { "name": "NewReader" }, { "name": "OpenReader" } ], "vendor": "Go standard library", "versions": [ { "lessThan": "1.21.11", "status": "affected", "version": "0", "versionType": "semver" }, { "lessThan": "1.22.4", "status": "affected", "version": "1.22.0-0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "value": "Yufan You (@ouuan)" } ], "descriptions": [ { "lang": "en", "value": "The archive/zip package\u0027s handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors." } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-390: Detection of Error Condition Without Action", "lang": "en" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-05T15:13:51.938Z", "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go" }, "references": [ { "url": "https://go.dev/cl/585397" }, { "url": "https://go.dev/issue/66869" }, { "url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ" }, { "url": "https://pkg.go.dev/vuln/GO-2024-2888" }, { "url": "http://www.openwall.com/lists/oss-security/2024/06/04/1" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/" } ], "title": "Mishandling of corrupt central directory record in archive/zip" } }, "cveMetadata": { "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "assignerShortName": "Go", "cveId": "CVE-2024-24789", "datePublished": "2024-06-05T15:13:51.938Z", "dateReserved": "2024-01-30T16:05:14.758Z", "dateUpdated": "2024-08-01T23:28:12.584Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }