CVE-2024-24789
Aliases:GO-2024-2888BIT-golang-2024-24789CGA-4r7q-83hj-9rrpGHSA-236w-p7wf-5ph8
Advisory lineage Upstream: 0 Downstream: 27
Modified
Published: 05 Jun 2024, 15:13
Last modified:13 Feb 2025, 17:40
Vulnerability Summary
Overall Risk (default)
low
22/100 CVSS Score
5.5 MEDIUM
v3.1 (nvd)
EPSS Score
<0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
05 Jun 2024, 15:13
Published
Vulnerability first disclosed
13 Feb 2025, 17:40
Last Modified
Vulnerability information updated
Description
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Trends
Current EPSS score: 0.01%• Percentile: 1%
Affected Systems
- chainguard•gpu-feature-discovery
< 0.8.2-r1
- go standard library•archive/zip
< 1.21.11 | ≥ 1.22.0-0, < 1.22.4
- golang•go
< 1.21.11 | ≥ 1.22.0, < 1.22.4
- Go•stdlib
≥ 1.22.0-0, < 1.22.4
References (7)
- https://go.dev/cl/585397
- https://go.dev/issue/66869
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2888
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
- https://security.netapp.com/advisory/ntap-20250131-0008/