CVE-2024-39684: 
vulnerability analysis and mitigation

Tencent RapidJSON contains a privilege escalation vulnerability (CVE-2024-39684) discovered in July 2024. The vulnerability exists in the GenericReader::ParseNumber() function of include/rapidjson/reader.h when parsing JSON text from a stream. This vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) (NVD).

The vulnerability is caused by an integer overflow condition in the JSON parsing functionality, specifically within the GenericReader::ParseNumber() function located in the include/rapidjson/reader.h file. The vulnerability has been assigned CWE-190 (Integer Overflow or Wraparound). The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access requirements with user interaction (NVD).

If successfully exploited, this vulnerability can lead to elevation of privilege, allowing an attacker to gain elevated system access. The vulnerability can result in disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

Microsoft has released security updates to address this vulnerability through their July 2024 Patch Tuesday updates. Multiple KB updates have been issued for affected Windows versions including Windows 10, Windows 11, and various Windows Server versions (Lansweeper).