CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51744 – Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
https://notcve.org/view.php?id=CVE-2024-51744
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. • https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30636 – Limited directory traversal vulnerability on Windows in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2022-30636
httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. • https://go.dev/cl/408694 https://go.dev/issue/53082 https://pkg.go.dev/vuln/GO-2024-2961 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24792 – Panic when parsing invalid palette-color images in golang.org/x/image
https://notcve.org/view.php?id=CVE-2024-24792
Parsing a corrupt or malicious image with invalid color indices can cause a panic. • https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24789 – Mishandling of corrupt central directory record in archive/zip
https://notcve.org/view.php?id=CVE-2024-24789
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. El manejo que hace el paquete archive/zip de ciertos tipos de archivos zip no válidos difiere del comportamiento de la mayoría de las implementaciones zip. Esta desalineación podría aprovecharse para crear un archivo zip con contenidos que varían según la implementación que lea el archivo. • http://www.openwall.com/lists/oss-security/2024/06/04/1 https://go.dev/cl/585397 https://go.dev/issue/66869 https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7 https://pkg.go.dev/vuln/GO-2024-2888 https://access.redhat.com/security/cve/CVE-2024-24789 https://bugzilla.redhat.com/show_bug.cgi?id=2292668 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24790 – Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip
https://notcve.org/view.php?id=CVE-2024-24790
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Los diversos métodos Is (IsPrivate, IsLoopback, etc.) no funcionaron como se esperaba para las direcciones IPv6 asignadas a IPv4, devolviendo falso para direcciones que devolverían verdadero en sus formas IPv4 tradicionales. A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data. • http://www.openwall.com/lists/oss-security/2024/06/04/1 https://go.dev/cl/590316 https://go.dev/issue/67680 https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ https://pkg.go.dev/vuln/GO-2024-2887 https://access.redhat.com/security/cve/CVE-2024-24790 https://bugzilla.redhat.com/show_bug.cgi?id=2292787 • CWE-115: Misinterpretation of Input •