Lucene search

K
cvelistGoogleCVELIST:CVE-2024-4420
HistoryMay 21, 2024 - 11:52 a.m.

CVE-2024-4420 Denial of Service in Tink-cc

2024-05-2111:52:28
CWE-116
Google
www.cve.org
denial of service
vulnerability
tink-cc
json
upgrade
stack overflow
binaries

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3.  * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.

  • An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.

We recommend upgrading to version 2.1.3 or above

CNA Affected

[
  {
    "collectionURL": "https://github.com/tink-crypto/tink-cc/",
    "defaultStatus": "unaffected",
    "packageName": "Tink-cc",
    "product": "Tink",
    "repo": "https://github.com/tink-crypto",
    "vendor": "Google",
    "versions": [
      {
        "lessThan": "2.1.3",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://github.com/google/tink",
    "defaultStatus": "unaffected",
    "packageName": "Tink-crypto (legacy)",
    "product": "Tink (Legacy)",
    "repo": "https://github.com/google/tink",
    "vendor": "Google",
    "versions": [
      {
        "lessThanOrEqual": "1.7.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

6.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Related for CVELIST:CVE-2024-4420