CVE-2024-24786

EUVD-2024-0879
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
golanggo
𝑥
< 1.33.0
ADP
Debian logo
Debian Releases
Debian Product
Codename
golang-google-protobuf
bookworm
no-dsa
bullseye
no-dsa
forky
1.36.7-1
fixed
sid
1.36.7-1
fixed
trixie
1.36.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-google-protobuf
focal
dne
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
google-guest-agent
bionic
needs-triage
focal
Fixed 20240213.00-0ubuntu4
released
jammy
Fixed 20231004.02-0ubuntu1~22.04.4
released
mantic
Fixed 20231004.02-0ubuntu1~23.10.3
released
noble
Fixed 20240213.00-0ubuntu3.1
released
oracular
Fixed 20240213.00-0ubuntu4
released
plucky
Fixed 20240213.00-0ubuntu4
released
questing
Fixed 20240213.00-0ubuntu4
released
xenial
needs-triage
google-osconfig-agent
bionic
needs-triage
focal
needs-triage
jammy
Fixed 20230504.00-0ubuntu1~22.04.1
released
mantic
Fixed 20230504.00-0ubuntu2.2
released
noble
Fixed 20240320.00-0ubuntu1~24.04.1
released
oracular
Fixed 20240320.00-0ubuntu2
released
plucky
Fixed 20240320.00-0ubuntu2
released
questing
Fixed 20240320.00-0ubuntu2
released
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
buildah
suse enterprise sap 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise sap 15 SP7
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP3
1.35.4-150300.8.25.1
fixed
suse enterprise server 15 SP4
1.35.4-150400.3.30.1
fixed
suse enterprise server 15 SP5
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP6
1.35.4-150500.3.10.1
fixed
suse enterprise server 15 SP7
1.35.4-150500.3.10.1
fixed
podman
suse enterprise sap 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.31.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.27.1
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.12.1
fixed
podman-docker
suse enterprise sap 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.27.1
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.12.1
fixed
podman-remote
suse enterprise sap 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP3
4.9.5-150300.9.31.1
fixed
suse enterprise server 15 SP4
4.9.5-150400.4.27.1
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.12.1
fixed
podmansh
suse enterprise sap 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise sap 15 SP7
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP5
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP6
4.9.5-150500.3.12.1
fixed
suse enterprise server 15 SP7
4.9.5-150500.3.12.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
buildah
RHEL 9
2:1.33.7-1.el9_4
fixed
buildah-tests
RHEL 9
2:1.33.7-1.el9_4
fixed
podman
RHEL 9
4:4.9.4-3.el9_4
fixed
podman-docker
RHEL 9
4:4.9.4-3.el9_4
fixed
podman-plugins
RHEL 9
4:4.9.4-3.el9_4
fixed
podman-remote
RHEL 9
4:4.9.4-3.el9_4
fixed
podman-tests
RHEL 9
4:4.9.4-3.el9_4
fixed
rhc-worker-script
RHEL 7
0:0.7-1.el7_9
fixed
skopeo
RHEL 9
2:1.14.3-2.el9_4
fixed
skopeo-tests
RHEL 9
2:1.14.3-2.el9_4
fixed
References
http://www.openwall.com/lists/oss-security/2024/03/08/4
https://go.dev/cl/569356
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
https://pkg.go.dev/vuln/GO-2024-2611
https://security.netapp.com/advisory/ntap-20240517-0002/
http://www.openwall.com/lists/oss-security/2024/03/08/4
https://go.dev/cl/569356
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
https://pkg.go.dev/vuln/GO-2024-2611
https://security.netapp.com/advisory/ntap-20240517-0002/