Lucene search

K
cveGoCVE-2024-34158
HistorySep 06, 2024 - 9:15 p.m.

CVE-2024-34158

2024-09-0621:15:12
CWE-674
Go
web.nvd.nist.gov
45
20
parse build tag stack exhaustion

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

0

Percentile

16.3%

Calling Parse on a “// +build” build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

CNA Affected

[
  {
    "vendor": "Go standard library",
    "product": "go/build/constraint",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "go/build/constraint",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.22.7",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.23.0-0",
        "lessThan": "1.23.1",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "parsePlusBuildExpr"
      },
      {
        "name": "exprParser.not"
      },
      {
        "name": "Parse"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Social References

More

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

0

Percentile

16.3%

Related for CVE-2024-34158