| id: GO-2024-3344 |
| modules: |
| - module: filippo.io/age |
| versions: |
| - fixed: 1.2.1 |
| vulnerable_at: 1.2.0 |
| packages: |
| - package: filippo.io/age/plugin |
| symbols: |
| - NewIdentityWithoutData |
| - EncodeRecipient |
| - EncodeIdentity |
| - ParseRecipient |
| - openClientConnection |
| - ParseIdentity |
| derived_symbols: |
| - Identity.Unwrap |
| - NewIdentity |
| - NewRecipient |
| - Recipient.Wrap |
| - Recipient.WrapWithLabels |
| summary: |- |
| Malicious plugin names, recipients, or identities causing |
| arbitrary binary execution in filippo.io/age |
| ghsas: |
| - GHSA-32gq-x56h-299c |
| related: |
| - CVE-2024-56327 |
| credits: |
| - ⬡-49016 |
| references: |
| - advisory: https://github.com/FiloSottile/age/security/advisories/GHSA-32gq-x56h-299c |
| - fix: https://github.com/FiloSottile/age/commit/482cf6fc9babd3ab06f6606762aac10447222201 |
| source: |
| id: GHSA-32gq-x56h-299c |
| created: 2024-12-20T10:15:12.556561-10:00 |
| review_status: REVIEWED |
