Fluid Attacks Database

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
go	stdlib	>=0 <1.22.7	1.22.7
rpm rhel9.2	golang	<0:1.19.13-12.el9_2	0:1.19.13-12.el9_2
rpm rhel9	delve	<0:1.24.1-2.el9_5	0:1.24.1-2.el9_5
rpm rhel8	git-lfs	<0:3.4.1-3.el8_10	0:3.4.1-3.el8_10
rpm rhel8.8	git-lfs	<0:3.2.0-2.el8_8.2	0:3.2.0-2.el8_8.2
rpm rhel8	go-toolset	<0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6	0:1.21.13-1.module+el8.10.0+22329+6cd5c9c6
rpm rhel9.2	grafana	<0:9.0.9-5.el9_2	0:9.0.9-5.el9_2
rpm rhel9.2	skopeo	<2:1.11.2-0.1.el9_2.2	2:1.11.2-0.1.el9_2.2

1-10 of 31

Aliases

1. CVE-2024-341562. NVD-2024-341563. OSV-DEBIAN-2024-341564. OSV-2024-341565. OSV-GO-2024-31066. GCVE-2024-341567. SECURITY-TRACKER-CVE-2024-34156

References

1. https://go.dev/cl/6112392. https://go.dev/issue/691393. https://groups.google.com/g/golang-dev/c/S9POB9NCTdk

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.