Infinite loop in protobuf-go

#VU87326 Infinite loop in protobuf-go

Published: 2024-03-11 | Updated: 2024-03-28

Vulnerability identifier: #VU87326

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24786

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
protobuf-go
Universal components / Libraries / Programming Languages & Components

Vendor: Google

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing data in an invalid JSON format within the protojson.Unmarshal() function. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

protobuf-go: 1.20.0 - 1.32.0

External links
http://go.dev/cl/569356
http://pkg.go.dev/vuln/GO-2024-2611

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

gin update for protobuf-go

Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Red Hat Enterprise Linux 9 update for skopeo

Red Hat Enterprise Linux 9 update for buildah

Red Hat Enterprise Linux 9 update for podman

Multiple vulnerabilities in Red Hat Migration Toolkit for Containers (MTC) 1.7

Ubuntu update for google-guest-agent

Multiple vulnerabilities in Red Hat OpenShift Service Mesh Containers 2.5

Multiple vulnerabilities in Red Hat Migration Toolkit for Containers (MTC) 1.8

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.14