CVE-2024-24784 — Misinterpretation of Input in Standard Library NET Mail

CWE-115 — Misinterpretation of Input14 documents8 sources

Severity

7.5HIGHNVD

EPSS

2.0%

top 16.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET Mail Paloalto Pan-os Debian Golang-1.15 +14 more

Timeline

PublishedMar 5

Latest updateNov 14

Description

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

▶CVEListV5go_standard_library/net_mail1.22.0-0 — 1.22.1+1

▶Palo Altopaloalto/pan-os

▶debiandebian/golang-1.15

▶debiandebian/golang-1.19

▶msrcmsrc/azl3_gcc_13.2.0-7_on_azure_linux_3.0

🔴Vulnerability Details

OSV

golang-1.17 vulnerabilities↗2024-11-14

▶

OSV

golang-1.18 vulnerabilities↗2024-11-14

▶

OSV

golang-1.21, golang-1.22 vulnerabilities↗2024-07-09

▶

GHSA

GHSA-fgq5-q76c-gx78: The ParseAddressList function incorrectly handles comments (text within parentheses) within display names↗2024-03-06

▶

OSV

CVE-2024-24784: The ParseAddressList function incorrectly handles comments (text within parentheses) within display names↗2024-03-05

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Palo Alto

PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-11-01

▶

Ubuntu

Go vulnerabilities↗2024-07-09

▶

Microsoft

Comments in display names are incorrectly handled in net/mail↗2024-03-12

▶