CVE-2024-24789Improper Input Validation in Standard Library Archive ZIP

CWE-20Improper Input Validation11 documents8 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 99.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Archive ZIPGolang GO
Timeline
PublishedJun 5
Latest updateNov 14

Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5go_standard_library/archive_zip1.22.0-01.22.4+1
NVDgolang/go1.22.01.22.4+1

Patches

Patch: go.devPatch: go.devPatch: go.dev

🔴Vulnerability Details

4
CVEList
Mishandling of corrupt central directory record in archive/zip2024-06-05
GHSA
GHSA-236w-p7wf-5ph8: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations2024-06-05
OSV
CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations2024-06-05
OSV
Mishandling of corrupt central directory record in archive/zip2024-06-04

📋Vendor Advisories

6
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-11-14
Ubuntu
Go vulnerabilities2024-07-09
Microsoft
Mishandling of corrupt central directory record in archive/zip2024-06-11
Red Hat
golang: archive/zip: Incorrect handling of certain ZIP files2024-06-04
CVE-2024-24789 — Improper Input Validation | cvebase