Lucene search

GitHub_MCVELIST:CVE-2024-38525

HistoryJun 28, 2024 - 9:10 p.m.

CVE-2024-38525 dd-trace-cpp malformed unicode header values may cause crash

2024-06-2821:10:57

CWE-248

CWE-20

GitHub_M

www.cve.org

cve-2024-38525

dd-trace-cpp

unicode

header

crash

fix

patch

nlohmann json

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught exception, which results in a crash. This vulnerability has been patched in version 0.2.2.

CNA Affected

[
  {
    "vendor": "DataDog",
    "product": "dd-trace-cpp",
    "versions": [
      {
        "version": ">= 0.1.12, < 0.2.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/DataDog/dd-trace-cpp/releases/tag/v0.2.2

github.com/DataDog/dd-trace-cpp/security/advisories/GHSA-rf3p-mg22-qv6w

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-38525