Lucene search

[email protected]CVE-2024-38525

HistoryJun 28, 2024 - 10:15 p.m.

CVE-2024-38525

2024-06-2822:15:02

CWE-248

CWE-20

[email protected]

web.nvd.nist.gov

datadog distributed tracing

unauthorized access

crashes

unicode

json library

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught exception, which results in a crash. This vulnerability has been patched in version 0.2.2.

Affected configurations

Vulners

Node

datadogdd-traceRange0.1.12–0.2.2

CNA Affected

[
  {
    "vendor": "DataDog",
    "product": "dd-trace-cpp",
    "versions": [
      {
        "version": ">= 0.1.12, < 0.2.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/DataDog/dd-trace-cpp/releases/tag/v0.2.2

github.com/DataDog/dd-trace-cpp/security/advisories/GHSA-rf3p-mg22-qv6w

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVE-2024-38525

cvelist1 nvd1