Vulnerability DatabaseCVE-2024-24790

CVE-2024-24790:
cAdvisor vulnerability analysis and mitigation

Overview

CVE-2024-24790 is a vulnerability discovered in the Go language standard library's net/netip package. The issue affects the various Is methods (IsPrivate, IsLoopback, etc) which did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. The vulnerability was reported by Enze Wang of Alioth (@zer0yu) and Jianjun Chen of Zhongguancun Lab (@chenjj) (Golang Announce).

Technical details

The vulnerability has been assigned a CVSS 3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically affects Go versions prior to 1.21.11 and versions from 1.22.0-0 before 1.22.4. The vulnerability impacts several methods in the net/netip package including Addr.IsGlobalUnicast, Addr.IsInterfaceLocalMulticast, Addr.IsLinkLocalMulticast, Addr.IsLoopback, Addr.IsMulticast, and Addr.IsPrivate (Go Vuln).

Impact

When successfully exploited, this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The critical CVSS score indicates high impact potential across confidentiality, integrity, and availability (Ubuntu CVE).

Mitigation and workarounds

The issue has been fixed in Go versions 1.21.11 and 1.22.4. Users are advised to upgrade to these versions or later to address the vulnerability. The fix has been implemented through patches that correct the behavior of Is methods for IPv4-mapped IPv6 addresses (Golang Announce).

Additional resources

Source: This report was generated using AI

9.8

Score

Published June 5, 2024

Severity CRITICAL

CNA Score 9.8

Affected Technologies

cAdvisor
Docker

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 39.2

Exploitation Probability (EPSS) 0.2

Affected packages and libraries

openshift4::ose-baremetal-runtimecfg-rhel9@sha256:95da5531ecf899ed02f7a1b1e6cbb1066e0012cb59f17ab3b3eecaf541297c7c_s390x
openshift4::ose-insights-rhel8-operator@sha256:70f73f4e2404ebb8c6765da65e4084502cc2f84648a7c3a54ab260ab6bc2be89_arm64

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 04, 2024
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jul 03, 2024
Alpine Security Tracker
- Alpine 3.13, 3.14, 3.15, 3.16, 3.17, 3.18 Severity CRITICALNo FixAdded at: Jun 19, 2024
- Alpine 3.20 Severity CRITICALHas FixAdded at: Jun 06, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 12, 2024
CBL-Mariner
- CBL-Mariner 2.0 Severity CRITICALHas FixAdded at: Jul 14, 2024
Chainguard
- Chainguard Has FixAdded at: Jun 09, 2024
Container-Optimized OS Release Notes
- Container-Optimized OS Severity CRITICALHas FixAdded at: Jul 01, 2024
Debian Security Tracker
- Debian 10, 11, 12 Severity MEDIUMNo FixAdded at: Jun 05, 2024
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Jun 19, 2024
Nix
- Nix Severity CRITICALHas FixAdded at: Jun 19, 2024
Photon Security Advisory
- Photon 3.0 Severity CRITICALHas FixAdded at: Aug 13, 2024
- Photon 4.0, 5.0 Severity CRITICALHas FixAdded at: Jun 25, 2024
Red Hat Errata
- Red Hat 7 Severity MEDIUMHas FixAdded at: Feb 19, 2025
- Red Hat 8, 9 Severity MEDIUMHas FixAdded at: Jun 19, 2024
- Red Hat CoreOS 4 Severity MEDIUMHas FixAdded at: Aug 25, 2024
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: May 11, 2025
- Rocky 9 Severity MEDIUMHas FixAdded at: Jul 16, 2024
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04 Severity MEDIUMHas FixAdded at: Nov 18, 2024
- Ubuntu 20.04, 22.04, 24.04 Severity MEDIUMHas FixAdded at: Jul 09, 2024
Wolfi
- Wolfi Has FixAdded at: Jun 09, 2024
NVD
- Linux Severity CRITICALHas FixAdded at: Jun 19, 2024
- Windows Severity CRITICALHas FixAdded at: Jun 12, 2024