CVE-2024-25110
Azure IoT Platform Device SDK Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.
UAMQP es una librería C de uso general para AMQP 1.0. Durante una llamada a open_get_offered_capabilities, una asignación de memoria puede fallar causando un problema de use-after-free y si un cliente lo llamó durante la comunicación de conexión, puede causar una ejecución remota de código. Se recomienda a los usuarios actualizar el submódulo con el commit `30865c9c`. No se conocen workarounds para esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-02-05 CVE Reserved
- 2024-02-12 CVE Published
- 2024-08-01 CVE Updated
- 2024-10-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 | X_refsource_misc | |
| https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| - | - | - | - | - | ||||||