Vulnerability Description
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.21.11 |
References
- http://www.openwall.com/lists/oss-security/2024/06/04/1Mailing List
- https://go.dev/cl/585397Patch
- https://go.dev/issue/66869Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJRelease Notes
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://pkg.go.dev/vuln/GO-2024-2888Third Party Advisory
- http://www.openwall.com/lists/oss-security/2024/06/04/1Mailing List
- https://go.dev/cl/585397Patch
- https://go.dev/issue/66869Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJRelease Notes
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://pkg.go.dev/vuln/GO-2024-2888Third Party Advisory
- https://security.netapp.com/advisory/ntap-20250131-0008/
FAQ
What is CVE-2024-24789?
CVE-2024-24789 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents...
How severe is CVE-2024-24789?
CVE-2024-24789 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-24789?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.