CVE-2024-24789

{"id": "CVE-2024-24789", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}]}, "published": "2024-06-05T16:15:10.470", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/06/04/1", "tags": ["Mailing List"], "source": "security@golang.org"}, {"url": "https://go.dev/cl/585397", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/66869", "tags": ["Issue Tracking", "Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ", "tags": ["Release Notes"], "source": "security@golang.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/", "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2888", "tags": ["Third Party Advisory"], "source": "security@golang.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors."}, {"lang": "es", "value": "El manejo que hace el paquete archive/zip de ciertos tipos de archivos zip no v\u00e1lidos difiere del comportamiento de la mayor\u00eda de las implementaciones zip. Esta desalineaci\u00f3n podr\u00eda aprovecharse para crear un archivo zip con contenidos que var\u00edan seg\u00fan la implementaci\u00f3n que lea el archivo. El paquete archive/zip ahora rechaza los archivos que contienen estos errores."}], "lastModified": "2024-07-03T01:48:25.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A191F39-17BE-4051-A445-E60525659377", "versionEndExcluding": "1.21.11"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B85AD31-1004-48F3-9A80-7CF48CD0CEA7", "versionEndExcluding": "1.22.4", "versionStartIncluding": "1.22.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}