CVE-2024-24789

medium

Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

References

https://pkg.go.dev/vuln/GO-2024-2888

https://pkg.go.dev/vuln/GO-2024-2888

https://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

https://go.dev/issue/66869

https://go.dev/issue/66869

https://go.dev/cl/585397

https://go.dev/cl/585397

http://www.openwall.com/lists/oss-security/2024/06/04/1

http://www.openwall.com/lists/oss-security/2024/06/04/1

Details

Source: Mitre, NVD

Published: 2024-06-05

Updated: 2024-07-03

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium