CVE-2024-24786

Published: 05/03/2024 Updated: 10/06/2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an malicious user to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an malicious user to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. (CVE-2023-45288) The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. (CVE-2024-24786)

Debian Bug report logs - #1065684 golang-google-protobuf: CVE-2024-24786 Package: src:golang-google-protobuf; Maintainer for src:golang-google-protobuf is Debian Go Packaging Team <team+pkg-go@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 8 Mar 2024 21:27:02 UTC Severity: impo ...

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but ...

groupsgooglecom/g/golang-announce/c/5pwGVUPoMbg announces the releases of Go 1221 and Go 1218 containing fixes for 5 CVEs: >- crypto/x509: Verify panics on certificates with an unknown public key > algorithm > > Verifying a certificate chain which contains a certificate with an > unknown public key algorithm will ca ...

Learning how to deploy a simple 3 nodes (1 server and 2 agents) k3s cluster with rancher ui installed through a docker-compose.

Rancher/k3s cluster in docker containers Learning how to deploy a simple 3 nodes (1 server and 2 agents) k3s cluster with rancher ui installed through a docker-compose Environment It's possible to define env variables in a env file at the same level of the docker compose file ENV: K3S_VERSION: official rancher/k3s image version (default latest) K3S_URL: server url K3S_

https://go.dev/cl/569356 https://pkg.go.dev/vuln/GO-2024-2611 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/http://www.openwall.com/lists/oss-security/2024/03/08/4 https://security.netapp.com/advisory/ntap-20240517-0002/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065684 https://nvd.nist.gov https://github.com/DanielePeruzzi97/rancher-k3s-docker https://alas.aws.amazon.com/AL2/ALAS-2024-2550.html

CVE-2024-24786

Vulnerability Summary

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect