Mishandling of corrupt central directory record in archive/zip
CVE-2024-24789

5.5MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Archive/zip
Vendor: CVE Published:; 5 June 2024

What is CVE-2024-24789?

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Affected Version(s)

archive/zip 0 < 1.21.11

archive/zip 1.22.0-0 < 1.22.4

References

https://go.dev/cl/585397

https://go.dev/issue/66869

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 5, 2024

Credit

Yufan You (@ouuan)

Go Standard Library

What is CVE-2024-24789?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit