data/reports: add GO-2024-2611.yaml
Aliases: CVE-2024-24786
Updates golang/vulndb#2611
Change-Id: I22554d548311b716c453bce880cf2bdfbaa443af
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/569395
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
diff --git a/data/cve/v5/GO-2024-2611.json b/data/cve/v5/GO-2024-2611.json
new file mode 100644
index 0000000..22bea25
--- /dev/null
+++ b/data/cve/v5/GO-2024-2611.json
@@ -0,0 +1,90 @@
+{
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "cveMetadata": {
+ "cveId": "CVE-2024-24786"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+ },
+ "title": "Infinite loop in JSON unmarshaling in google.golang.org/protobuf",
+ "descriptions": [
+ {
+ "lang": "en",
+ "value": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set."
+ }
+ ],
+ "affected": [
+ {
+ "vendor": "google.golang.org/protobuf",
+ "product": "google.golang.org/protobuf/encoding/protojson",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "google.golang.org/protobuf/encoding/protojson",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.33.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "UnmarshalOptions.unmarshal"
+ },
+ {
+ "name": "Unmarshal"
+ },
+ {
+ "name": "UnmarshalOptions.Unmarshal"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ },
+ {
+ "vendor": "google.golang.org/protobuf",
+ "product": "google.golang.org/protobuf/internal/encoding/json",
+ "collectionURL": "https://pkg.go.dev",
+ "packageName": "google.golang.org/protobuf/internal/encoding/json",
+ "versions": [
+ {
+ "version": "0",
+ "lessThan": "1.33.0",
+ "status": "affected",
+ "versionType": "semver"
+ }
+ ],
+ "programRoutines": [
+ {
+ "name": "Decoder.Read"
+ },
+ {
+ "name": "Decoder.Peek"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "lang": "en",
+ "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://go.dev/cl/569356"
+ },
+ {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2611"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/data/osv/GO-2024-2611.json b/data/osv/GO-2024-2611.json
new file mode 100644
index 0000000..d23a86b
--- /dev/null
+++ b/data/osv/GO-2024-2611.json
@@ -0,0 +1,60 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2024-2611",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2024-24786"
+ ],
+ "summary": "Infinite loop in JSON unmarshaling in google.golang.org/protobuf",
+ "details": "The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.",
+ "affected": [
+ {
+ "package": {
+ "name": "google.golang.org/protobuf",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ },
+ {
+ "fixed": "1.33.0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "google.golang.org/protobuf/encoding/protojson",
+ "symbols": [
+ "Unmarshal",
+ "UnmarshalOptions.Unmarshal",
+ "UnmarshalOptions.unmarshal"
+ ]
+ },
+ {
+ "path": "google.golang.org/protobuf/internal/encoding/json",
+ "symbols": [
+ "Decoder.Peek",
+ "Decoder.Read"
+ ]
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "FIX",
+ "url": "https://go.dev/cl/569356"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2024-2611"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2024-2611.yaml b/data/reports/GO-2024-2611.yaml
new file mode 100644
index 0000000..918609a
--- /dev/null
+++ b/data/reports/GO-2024-2611.yaml
@@ -0,0 +1,29 @@
+id: GO-2024-2611
+modules:
+ - module: google.golang.org/protobuf
+ versions:
+ - fixed: 1.33.0
+ vulnerable_at: 1.32.0
+ packages:
+ - package: google.golang.org/protobuf/encoding/protojson
+ symbols:
+ - UnmarshalOptions.unmarshal
+ derived_symbols:
+ - Unmarshal
+ - UnmarshalOptions.Unmarshal
+ - package: google.golang.org/protobuf/internal/encoding/json
+ symbols:
+ - Decoder.Read
+ derived_symbols:
+ - Decoder.Peek
+summary: Infinite loop in JSON unmarshaling in google.golang.org/protobuf
+description: |-
+ The protojson.Unmarshal function can enter an infinite loop when unmarshaling
+ certain forms of invalid JSON. This condition can occur when unmarshaling into a
+ message which contains a google.protobuf.Any value, or when the
+ UnmarshalOptions.DiscardUnknown option is set.
+references:
+ - fix: https://go.dev/cl/569356
+cve_metadata:
+ id: CVE-2024-24786
+ cwe: 'CWE-1286: Improper Validation of Syntactic Correctness of Input'
