5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.9%
The archive/zip package’s handling of certain types of invalid zip files
differs from the behavior of most zip implementations. This misalignment
could be exploited to create an zip file with contents that vary depending
on the implementation reading the file. The archive/zip package now rejects
files containing these errors.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | < any | UNKNOWN |
github.com/golang/go/issues/66869
go.dev/cl/585397
go.dev/issue/66869
groups.google.com/g/golang-announce/c/XbxouI9gY7k
groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
launchpad.net/bugs/cve/CVE-2024-24789
nvd.nist.gov/vuln/detail/CVE-2024-24789
pkg.go.dev/vuln/GO-2024-2888
security-tracker.debian.org/tracker/CVE-2024-24789
www.cve.org/CVERecord?id=CVE-2024-24789
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.9%