Main Vulnerability Database Vulnerabilities #VU91160

Input validation error in Go programming language - CVE-2024-24790

Published: June 5, 2024

Vulnerability identifier: #VU91160

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-24790

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Go programming language

Detailed vulnerability description

The vulnerability allows a remote attacker to modify application behavior.

The vulnerability exists due to improper handling of IPv4-mapped IPv6 addresses in net/netip within multiple methods, e.g. IsPrivate, IsLoopback. The affected methods return false for addresses which would return true in their traditional IPv4 forms, leading to potential bypass of implemented security features.

How to mitigate CVE-2024-24790

Install updates from vendor's website.

Sources

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
https://github.com/golang/go/issues/67680

Input validation error in Go programming language - CVE-2024-24790

Detailed vulnerability description

How to mitigate CVE-2024-24790

Sources

Please verify you're human