CVE-2024-34156 — Uncontrolled Recursion in Standard Library Encoding GOB

CWE-674 — Uncontrolled Recursion12 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 46.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Encoding GOB

Timeline

PublishedSep 6

Latest updateNov 14

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5go_standard_library/encoding_gob1.23.0-0 — 1.23.1+1

🔴Vulnerability Details

OSV

golang-1.22 vulnerabilities↗2024-10-23

▶

CVEList

Stack exhaustion in Decoder.Decode in encoding/gob↗2024-09-06

▶

OSV

Stack exhaustion in Decoder.Decode in encoding/gob↗2024-09-06

▶

GHSA

GHSA-crqm-pwhx-j97f: Calling Decoder↗2024-09-06

▶

OSV

CVE-2024-34156: Calling Decoder↗2024-09-06

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-11-14

▶

Ubuntu

Go vulnerabilities↗2024-10-23

▶

Microsoft

Stack exhaustion in Decoder.Decode in encoding/gob↗2024-09-10

▶

Red Hat

encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion↗2024-09-06

▶