CVE-2024-24786: 
cAdvisor vulnerability analysis and mitigation

CVE-2024-24786 is a vulnerability in the protojson.Unmarshal function of Google's Protocol Buffers (protobuf) implementation that can cause an infinite loop when processing certain forms of invalid JSON. The vulnerability was discovered in early 2024 and affects versions prior to 1.33.0. This condition specifically occurs when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set (Go Packages, OSS Security).

The vulnerability exists in the protojson.Unmarshal function's handling of invalid JSON inputs. When processing certain malformed JSON data, the function can enter an infinite loop instead of properly handling the error condition. This occurs under two specific conditions: either when unmarshaling into a message containing a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is enabled. The issue has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

The successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. When triggered, the infinite loop in the Unmarshal function can cause the affected application to become unresponsive, potentially impacting system availability (NetApp Security).

The primary mitigation for this vulnerability is to update to google.golang.org/protobuf version 1.33.0 or later, which properly handles the invalid inputs by returning an error instead of entering an infinite loop. For users of the older github.com/golang/protobuf module, updating to version 1.5.4 is recommended (OSS Security).