CVE-2024-25110Code Injection in Azure-uamqp-c

CWE-94Code InjectionCWE-416Use After FreeCWE-190Integer Overflow or Wraparound5 documents5 sources
Severity
8.1HIGHNVD
EPSS
0.7%
top 27.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Azure Azure-uamqp-cMicrosoft Azure UamqpDebian Azure-uamqp-python+8 more
Timeline
PublishedFeb 12
Latest updateFeb 13

Description

The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages11 packages

CVEListV5azure/azure-uamqp-c< 2024-01-01
NVDmicrosoft/azure_uamqp< 2024-02-01
debiandebian/azure-uamqp-python< azure-uamqp-python 1.6.8-2 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2024-25110: The UAMQP is a general purpose C library for AMQP 12024-02-12

📋Vendor Advisories

3
Microsoft
Azure IoT Platform Device SDK Remote Code Execution Vulnerability2024-02-13
Red Hat
python-uamqp-azure: Integer overflow at message.c2024-02-10
Debian
CVE-2024-25110: azure-uamqp-python - The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get...2024