CVE-2024-24789
published 2024-06-05CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be…
PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EPSS
0.45%
35.7th percentile
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| go_standard_library | archive_zip | < 1.21.11 | 1.21.11 |
| go_standard_library | archive_zip | >= 1.22.0-0 < 1.22.4 | 1.22.4 |
| golang | go | < 1.21.11 | 1.21.11 |
| golang | go | >= 1.22.0 < 1.22.4 | 1.22.4 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.22.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.11-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.22.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2024-24791 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2023-45290 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form w
Microsoft
Mishandling of corrupt central directory record in archive/zip
vendor_msrc·2024-06-11·CVSS 5.3
CVE-2024-24789 [MEDIUM] Mishandling of corrupt central directory record in archive/zip
Mishandling of corrupt central directory record in archive/zip
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://lear
Red Hat
golang: archive/zip: Incorrect handling of certain ZIP files
vendor_redhat·2024-06-04·CVSS 5.5
CVE-2024-24789 [MEDIUM] CWE-20 golang: archive/zip: Incorrect handling of certain ZIP files
golang: archive/zip: Incorrect handling of certain ZIP files
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
A flaw was found in Golang. The ZIP implementation of the Go language archive/zip library behaves differently than the rest of the ZIP file format implementations. When handling ZIP files with a corrupted central directory record, the library skips over the invalid record and processes the next valid one. This flaw allows a malicious user to access hidden information or files inside maliciously crafted ZIP
Debian
CVE-2024-24789: golang-1.15 - The archive/zip package's handling of certain types of invalid zip files differs...
vendor_debian·2024·CVSS 5.5
CVE-2024-24789 [MEDIUM] CVE-2024-24789: golang-1.15 - The archive/zip package's handling of certain types of invalid zip files differs...
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Scope: local
bullseye: open
OSV
golang-1.17 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Jakob Ackermann discovered that Go incorrectly handled multipart
forms. An attacker could possibly use this issue to consume an excessive
amount of
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
golang-1.21, golang-1.22 vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2023-45288 [HIGH] golang-1.21, golang-1.22 vulnerabilities
golang-1.21, golang-1.22 vulnerabilities
It was discovered that the Go net/http module did not properly handle the
requests when request\'s headers exceed MaxHeaderBytes. An attacker could
possibly use this issue to cause a panic resulting into a denial of service.
This issue only affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-45288)
It was discovered that the Go net/http module did not properly validate the
subdomain match or exact match of the initial domain. An attacker could
possibly use this issue to read sensitive information. This issue only
affected Go 1.21 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-45289)
It was discovered that the Go net/http module did not properly validate the
total size of the parsed form when parsing a multipart form. An atta
GHSA
GHSA-236w-p7wf-5ph8: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations
ghsa_unreviewed·2024-06-05
CVE-2024-24789 [MEDIUM] GHSA-236w-p7wf-5ph8: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
OSV
CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations
osv·2024-06-05·CVSS 5.5
CVE-2024-24789 [MEDIUM] CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
OSV
Mishandling of corrupt central directory record in archive/zip
osv·2024-06-04
CVE-2024-24789 Mishandling of corrupt central directory record in archive/zip
Mishandling of corrupt central directory record in archive/zip
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2024/06/04/1https://go.dev/cl/585397https://go.dev/issue/66869https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/https://pkg.go.dev/vuln/GO-2024-2888http://www.openwall.com/lists/oss-security/2024/06/04/1https://go.dev/cl/585397https://go.dev/issue/66869https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJhttps://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/https://pkg.go.dev/vuln/GO-2024-2888https://security.netapp.com/advisory/ntap-20250131-0008/
2024-06-05
Published