CVE-2024-39684

EUVD-2024-38186
Tencent RapidJSON is vulnerable to privilege escalation due to an integer overflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer overflow vulnerability (when the file is parsed), leading to elevation of privilege.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_MCNA
6.8 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Windows Releases
Platform
Version
Windows 10
(x64, x86)
KB5040448
1607 (x64, x86)
KB5040434
1809 (x64, x86)
KB5040430
21H2 (arm64, x64, x86)
KB5040427
22H2 (arm64, x64, x86)
KB5040427
Windows 11
21H2 (arm64, x64)
KB5040431
22H2 (arm64, x64)
KB5040442
23H2 (arm64, x64)
KB5040442
Windows Server 2008
Service Pack 2 (x64, x86)
KB5040499
Service Pack 2 Server Core (x64, x86)
KB5040499
Windows Server 2008 R2
Service Pack 1 (x64)
KB5040498
Service Pack 1 Server Core (x64)
KB5040498
Windows Server 2012
Server Core
KB5040485
Standard
KB5040485
Windows Server 2012 R2
Server Core
KB5040456
Standard
KB5040456
Windows Server 2016
Server Core
KB5040434
Standard
KB5040434
Windows Server 2019
Server Core
KB5040430
Standard
KB5040430
Windows Server 2022
23H2 Server Core
KB5040438
Server Core
KB5040437
Standard
KB5040437
Debian logo
Debian Releases
Debian Product
Codename
rapidjson
bookworm
postponed
bullseye
postponed
forky
vulnerable
sid
vulnerable
trixie
postponed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rapidjson
bionic
needed
focal
needed
jammy
needed
mantic
ignored
noble
needed
oracular
ignored
plucky
needed
questing
needed
xenial
needed
Common Weakness Enumeration
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39684
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39684
https://security.netapp.com/advisory/ntap-20240905-0003/