CVE-2022-24675
published 2022-04-20CVE-2022-24675: encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
5.33%
91.6th percentile
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| golang | go | < 1.17.9 | 1.17.9 |
| golang | go | >= 1.18.0 < 1.18.1 | 1.18.1 |
| msrc | cbl2_golang_1.18.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_golang_1.16.15-2_on_cbl_mariner_1.0 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Stack overflow from a large amount of PEM data in encoding/pem
osv·2022-05-20
CVE-2022-24675 Stack overflow from a large amount of PEM data in encoding/pem
Stack overflow from a large amount of PEM data in encoding/pem
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
GHSA
GHSA-q42m-q8hq-53rj: encoding/pem in Go before 1
ghsa_unreviewed·2022-04-21
CVE-2022-24675 [HIGH] CWE-770 GHSA-q42m-q8hq-53rj: encoding/pem in Go before 1
encoding/pem in Go before 1.17.9 and 1.8.x before 1.8.1 has a Decode stack overflow via a large amount of PEM data.
OSV
CVE-2022-24675: encoding/pem in Go before 1
osv·2022-04-20·CVSS 7.5
CVE-2022-24675 [HIGH] CVE-2022-24675: encoding/pem in Go before 1
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
CISA ICS
Siemens Brownfield Connectivity Gateway
cisa_ics·2023-02-16·CVSS 7.5
[HIGH] Siemens Brownfield Connectivity Gateway
ICS Advisory
##
Siemens Brownfield Connectivity Gateway
Release DateFebruary 16, 2023
Alert CodeICSA-23-047-04
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Brownfield Connectivity—Gateway
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Uncontrolled Resource Consumption, Exposure of Resource to Wrong S
Red Hat
golang: encoding/pem: fix stack overflow in Decode
vendor_redhat·2022-04-12·CVSS 7.5
CVE-2022-24675 [HIGH] CWE-120 golang: encoding/pem: fix stack overflow in Decode
golang: encoding/pem: fix stack overflow in Decode
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB), causing a stack overflow in Decode, which leads to a loss of availability.
Statement: Red Hat Enterprise Linux 7, 8 and 9 are affected, because the code-base is affected by this vulnerability.
Red Hat Product Security has rated this issue as having Moderate security impact, and the issue is not currently planned to be addressed in future updates for Red Hat Enterprise Linux 7, hence, marked as Out-of-Support-Scope.
Red Hat Developer Tools - Compilers (go-toolset-1.16-golang & go-tools
Microsoft
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
vendor_msrc·2022-04-12·CVSS 7.5
CVE-2022-24675 [HIGH] CWE-674 encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre: mitre
Customer Action Required: Ye
No detection rules found.
No public exploits indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/oecdBNLOml8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220915-0010/https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdfhttps://groups.google.com/g/golang-announcehttps://groups.google.com/g/golang-announce/c/oecdBNLOml8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TYZC4OAY54TO75FBEFAPV5G7O4D5TM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F3BMW5QGX53CMIJIZWKXFKBJX2C5GWTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RCRSABD6CUDIZULZPZL5BJ3ET3A2NEJP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/https://security.gentoo.org/glsa/202208-02https://security.netapp.com/advisory/ntap-20220915-0010/
2022-04-20
Published