blob: a532f699bba1da01e943160cef77d5049b4d70ed [file] [log] [blame]
id: GO-2024-2611
modules:
- module: google.golang.org/protobuf
versions:
- fixed: 1.33.0
vulnerable_at: 1.32.0
packages:
- package: google.golang.org/protobuf/encoding/protojson
symbols:
- UnmarshalOptions.unmarshal
derived_symbols:
- Unmarshal
- UnmarshalOptions.Unmarshal
- package: google.golang.org/protobuf/internal/encoding/json
symbols:
- Decoder.Read
derived_symbols:
- Decoder.Peek
summary: Infinite loop in JSON unmarshaling in google.golang.org/protobuf
description: |-
The protojson.Unmarshal function can enter an infinite loop when unmarshaling
certain forms of invalid JSON. This condition can occur when unmarshaling into a
message which contains a google.protobuf.Any value, or when the
UnmarshalOptions.DiscardUnknown option is set.
ghsas:
- GHSA-8r3f-844c-mc37
references:
- fix: https://go.dev/cl/569356
cve_metadata:
id: CVE-2024-24786
cwe: 'CWE-1286: Improper Validation of Syntactic Correctness of Input'
references:
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
- http://www.openwall.com/lists/oss-security/2024/03/08/4
review_status: REVIEWED