GoogleCVELIST:CVE-2024-4420CVE-2024-4420 Denial of Service in Tink-cc
6.8 Medium
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/SC:N/VI:N/SI:N/VA:H/SA:H/S:N/AU:Y/U:Green/V:D/RE:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%
There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.
- An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.
We recommend upgrading to version 2.1.3 or above
CNA Affected
[
{
"collectionURL": "https://github.com/tink-crypto/tink-cc/",
"defaultStatus": "unaffected",
"packageName": "Tink-cc",
"product": "Tink",
"repo": "https://github.com/tink-crypto",
"vendor": "Google",
"versions": [
{
"lessThan": "2.1.3",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com/google/tink",
"defaultStatus": "unaffected",
"packageName": "Tink-crypto (legacy)",
"product": "Tink (Legacy)",
"repo": "https://github.com/google/tink",
"vendor": "Google",
"versions": [
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
]References
Related
6.8 Medium
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/SC:N/VI:N/SI:N/VA:H/SA:H/S:N/AU:Y/U:Green/V:D/RE:L
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.0%