UAMQP: Memory Allocation Vulnerability May Lead to Remote Code Execution
CVE-2024-25110

8.1HIGH

Key Information:

Vendor

Azure

Status
Azure-uaMQp-c
Vendor
CVE Published:
12 February 2024

Badges

📰 News Worthy

What is CVE-2024-25110?

The UAMQP library, a widely-used C library designed for AMQP 1.0 applications, is impacted by a vulnerability that arises during the open_get_offered_capabilities function call. When a memory allocation fails, it may trigger a use-after-free condition, leading to potential remote code execution if exploited. This situation is particularly risky during ongoing connection communications. To mitigate this security threat, users are strongly encouraged to update their submodule to include the necessary fix implemented in commit 30865c9c. Currently, there are no established workarounds to alleviate the risk associated with this vulnerability.

Affected Version(s)

azure-uamqp-c < 2024-01-01

News Articles

favicon imageprophaze.com

CVE-2024-25110 : AZURE AZURE-UAMQP-C 1.0 OPEN_GET_OFFERED_CAPABILITIES USE AFTER FREE - Cloud WAF

CVE-2024-25110 : The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities.

References

https://github.com/Azure/azure-uamqp-c/security/advisorie...
x_refsource_CONFIRM
https://github.com/Azure/azure-uamqp-c/commit/30865c9cced...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by prophaze.com

  • Vulnerability published

  • Vulnerability Reserved

.