Main Vulnerability Database Vulnerabilities #VU91160

#VU91160 Input validation error in Go programming language - CVE-2024-24790

Published: June 5, 2024

Vulnerability identifier: #VU91160

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-24790

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to modify application behavior.

The vulnerability exists due to improper handling of IPv4-mapped IPv6 addresses in net/netip within multiple methods, e.g. IsPrivate, IsLoopback. The affected methods return false for addresses which would return true in their traditional IPv4 forms, leading to potential bypass of implemented security features.

Remediation

Install updates from vendor's website.

External links

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
https://github.com/golang/go/issues/67680

#VU91160 Input validation error in Go programming language - CVE-2024-24790

Description

Remediation

External links

Please verify you're human