ghsa-8r3f-844c-mc37
Vulnerability from github
Published
2024-03-06 00:31
Modified
2024-06-10 18:30
Summary
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "google.golang.org/protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "google.golang.org/protobuf/encoding/protojson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "google.golang.org/protobuf/internal/encoding/json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24786"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-13T21:01:28Z",
    "nvd_published_at": "2024-03-05T23:15:07Z",
    "severity": "MODERATE"
  },
  "details": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.",
  "id": "GHSA-8r3f-844c-mc37",
  "modified": "2024-06-10T18:30:52Z",
  "published": "2024-03-06T00:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24786"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protocolbuffers/protobuf-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/569356"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2611"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240517-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/08/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.