CVE-2024-24788
published 2024-05-08CVE-2024-24788: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
PriorityP426medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
1.00%
58.5th percentile
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| github.com | traefik_traefik | 0 – 1.7.34 | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.3 | 2.11.3 |
| github.com | traefik_traefik_v3 | >= 0 < 3.0.1 | 3.0.1 |
| go_standard_library | net | >= 1.22.0-0 < 1.22.3 | 1.22.3 |
| msrc | azl3_golang_1.22.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.3-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.22.3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa5.9MEDIUM
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.9LOW
vendor_msrc5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2023-45290 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form w
Microsoft
Malformed DNS message can cause infinite loop in net
vendor_msrc·2024-05-14·CVSS 5.9
CVE-2024-24788 [MEDIUM] CWE-835 Malformed DNS message can cause infinite loop in net
Malformed DNS message can cause infinite loop in net
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsof
Red Hat
golang: net: malformed DNS message can cause infinite loop
vendor_redhat·2024-05-08·CVSS 5.9
CVE-2024-24788 [MEDIUM] CWE-835 golang: net: malformed DNS message can cause infinite loop
golang: net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
A flaw was found in the net package of the Go stdlib. When a malformed DNS message is received as a response to a query, the Lookup functions within the net package can get stuck in an infinite loop. This issue can lead to resource exhaustion and denial of service (DoS) conditions.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: cert-manager/cert-manager-operator-rhel9 (cert-manager Operator for Red Hat OpenShift) -
Debian
CVE-2024-24788: golang-1.15 - A malformed DNS message in response to a query can cause the Lookup functions to...
vendor_debian·2024·CVSS 5.9
CVE-2024-24788 [MEDIUM] CVE-2024-24788: golang-1.15 - A malformed DNS message in response to a query can cause the Lookup functions to...
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Scope: local
bullseye: resolved
OSV
golang-1.21, golang-1.22 vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2023-45288 [HIGH] golang-1.21, golang-1.22 vulnerabilities
golang-1.21, golang-1.22 vulnerabilities
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form when parsing a multipart form. An atta
GHSA
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
ghsa·2024-05-23·CVSS 5.9
CVE-2024-24788 [MEDIUM] CWE-1395 Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
### Impact
There is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2024-24788](https://www.cve.org/CVERecord?id=CVE-2024-24788)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.3
- https://github.com/traefik/traefik/releases/tag/v3.0.1
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
osv·2024-05-23·CVSS 5.9
CVE-2024-24788 [MEDIUM] Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop
### Impact
There is a vulnerability in [GO managing malformed DNS message](https://groups.google.com/g/golang-announce/c/wkkO4P9stm0), which impacts Traefik.
This vulnerability could be exploited to cause a denial of service.
### References
- [CVE-2024-24788](https://www.cve.org/CVERecord?id=CVE-2024-24788)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.3
- https://github.com/traefik/traefik/releases/tag/v3.0.1
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
CVE-2024-24788: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop
osv·2024-05-08·CVSS 5.9
CVE-2024-24788 [MEDIUM] CVE-2024-24788: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
GHSA
GHSA-2jwv-jmq4-4j3r: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop
ghsa_unreviewed·2024-05-08
CVE-2024-24788 GHSA-2jwv-jmq4-4j3r: A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
OSV
Malformed DNS message can cause infinite loop in net
osv·2024-05-07
CVE-2024-24788 Malformed DNS message can cause infinite loop in net
Malformed DNS message can cause infinite loop in net
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/05/08/3https://go.dev/cl/578375https://go.dev/issue/66754https://groups.google.com/g/golang-announce/c/wkkO4P9stm0https://pkg.go.dev/vuln/GO-2024-2824https://security.netapp.com/advisory/ntap-20240605-0002/https://security.netapp.com/advisory/ntap-20240614-0001/http://www.openwall.com/lists/oss-security/2024/05/08/3https://go.dev/cl/578375https://go.dev/issue/66754https://groups.google.com/g/golang-announce/c/wkkO4P9stm0https://pkg.go.dev/vuln/GO-2024-2824https://security.netapp.com/advisory/ntap-20240605-0002/https://security.netapp.com/advisory/ntap-20240614-0001/
2024-05-08
Published