Lucene search

[email protected]CVE-2024-1394

HistoryMar 21, 2024 - 1:00 p.m.

CVE-2024-1394

2024-03-2113:00:08

CWE-401

[email protected]

web.nvd.nist.gov

292

golang

memory leak

rsa

encryption

decryption

vulnerability

resource exhaustion

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.0005 Low

EPSS

Percentile

16.7%

JSON

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the “return nil, nil, fail(…)” pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

References

access.redhat.com/errata/RHSA-2024:1462

access.redhat.com/errata/RHSA-2024:1468

access.redhat.com/errata/RHSA-2024:1472

access.redhat.com/errata/RHSA-2024:1501

access.redhat.com/errata/RHSA-2024:1502

access.redhat.com/errata/RHSA-2024:1561

access.redhat.com/errata/RHSA-2024:1563

access.redhat.com/errata/RHSA-2024:1566

access.redhat.com/errata/RHSA-2024:1567

access.redhat.com/errata/RHSA-2024:1574

access.redhat.com/errata/RHSA-2024:1640

access.redhat.com/errata/RHSA-2024:1644

access.redhat.com/errata/RHSA-2024:1646

access.redhat.com/errata/RHSA-2024:1763

access.redhat.com/errata/RHSA-2024:1897

access.redhat.com/errata/RHSA-2024:2562

access.redhat.com/errata/RHSA-2024:2568

access.redhat.com/errata/RHSA-2024:2569

access.redhat.com/errata/RHSA-2024:2729

access.redhat.com/errata/RHSA-2024:2730

access.redhat.com/errata/RHSA-2024:2767

access.redhat.com/errata/RHSA-2024:3265

access.redhat.com/security/cve/CVE-2024-1394

bugzilla.redhat.com/show_bug.cgi?id=2262921

github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

pkg.go.dev/vuln/GO-2024-2660

vuln.go.dev/ID/GO-2024-2660.json

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.0005 Low

EPSS

Percentile

16.7%

JSON

Related for CVE-2024-1394

nessus49 rocky7 osv20 redhat28 veracode1 oraclelinux10 almalinux10 cvelist1 redhatcve1 github1 ibm1