CVE-2024-24786

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

La función protojson.Unmarshal puede entrar en un bucle infinito al descomponer ciertas formas de JSON no válido. Esta condición puede ocurrir al descomponer en un mensaje que contiene un valor google.protobuf.Any, o cuando la opción UnmarshalOptions.DiscardUnknown está configurada.

A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-30 CVE Reserved
2024-03-05 CVE Published
2024-03-24 EPSS Updated
2024-11-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (7)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/03/08/4
https://go.dev/cl/569356
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
https://pkg.go.dev/vuln/GO-2024-2611
https://security.netapp.com/advisory/ntap-20240517-0002

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-24786	2024-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=2268046	2024-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google.golang.org/protobuf Search vendor "Google.golang.org/protobuf"		Google.golang.org/protobuf/encoding/protojson Search vendor "Google.golang.org/protobuf" for product "Google.golang.org/protobuf/encoding/protojson"				< 1.33.0 Search vendor "Google.golang.org/protobuf" for product "Google.golang.org/protobuf/encoding/protojson" and version " < 1.33.0"		en		Affected
Google.golang.org/protobuf Search vendor "Google.golang.org/protobuf"		Google.golang.org/protobuf/internal/encoding/json Search vendor "Google.golang.org/protobuf" for product "Google.golang.org/protobuf/internal/encoding/json"				< 1.33.0 Search vendor "Google.golang.org/protobuf" for product "Google.golang.org/protobuf/internal/encoding/json" and version " < 1.33.0"		en		Affected