CVE-2024-34156: 
cAdvisor vulnerability analysis and mitigation

A vulnerability was discovered in the encoding/gob package of the Golang standard library, identified as CVE-2024-34156. The issue was reported by Md Sakib Anwar of The Ohio State University and is a follow-up to CVE-2022-30635. When Decoder.Decode is called on a message containing deeply nested structures, it can cause a panic due to stack exhaustion (Go Project, CVE Details).

The vulnerability affects the encoding/gob package in Go versions prior to 1.22.7 and versions from 1.23.0-0 before 1.23.1. The issue specifically impacts the Decoder.Decode and Decoder.DecodeValue functions. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

Successful exploitation of this vulnerability leads to a Denial of Service (DoS) condition through stack exhaustion when processing deeply nested structures. The vulnerability affects the availability of the system while maintaining the confidentiality and integrity of the data (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.22.7 and 1.23.1. Users are advised to upgrade to these versions or later to mitigate the issue. Packages built using golang need to be rebuilt once the vulnerability has been fixed (Ubuntu Security).