// For flags

CVE-2024-24784

Comments in display names are incorrectly handled in net/mail

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

La función ParseAddressList controla incorrectamente los comentarios (texto entre paréntesis) dentro de los nombres para mostrar. Dado que se trata de una desalineación con los analizadores de direcciones conformes, puede dar lugar a que los programas que utilizan diferentes analizadores tomen diferentes decisiones de confianza.

A flaw was found in Go's net/mail standard library package. The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions made by programs using different parsers.

This update for go1.21-openssl fixes the following issues. Fixed denial of service due to improper 100-continue handling. Fixed mishandling of corrupt central directory record in archive/zip. Fixed unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip. Fixed arbitrary code execution during build on darwin in cmd/go. Fixed denial of service due to close connections when receiving too many headers in net/http and x/net/http2. Fixed incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http and net/http/cookiejar. Fixed memory exhaustion in Request.ParseMultipartForm in net/http. Fixed denial of service on certificates with an unknown public key algorithm in crypto/x509. Fixed comments in display names are incorrectly handled in net/mail. Fixed errors returned from MarshalJSON methods may break template escaping in html/template.

*Credits: Juho Nurminen of Mattermost, Slonser (https://github.com/Slonser)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Complete
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-01-30 CVE Reserved
  • 2024-03-05 CVE Published
  • 2025-02-13 CVE Updated
  • 2025-07-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-115: Misinterpretation of Input
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Go Standard Library
Search vendor "Go Standard Library"
 Net/mail
Search vendor "Go Standard Library" for product "Net/mail"
 < 1.21.8
Search vendor "Go Standard Library" for product "Net/mail" and version " < 1.21.8"
en
Affected
Go Standard Library
Search vendor "Go Standard Library"
 Net/mail
Search vendor "Go Standard Library" for product "Net/mail"
 >= 1.22.0-0 < 1.22.1
Search vendor "Go Standard Library" for product "Net/mail" and version " >= 1.22.0-0 < 1.22.1"
en
Affected