CVE-2024-24789

low-risk
Published 2024-06-05

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Go

Affected Vendors

Golang

References (13)

Mailing List http://www.openwall.com/lists/oss-security/2024/06/04/1
Patch https://go.dev/cl/585397
Issue Tracking https://go.dev/issue/66869
Release Notes https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Third Party Advisory https://pkg.go.dev/vuln/GO-2024-2888
Mailing List http://www.openwall.com/lists/oss-security/2024/06/04/1
Patch https://go.dev/cl/585397
Issue Tracking https://go.dev/issue/66869
Release Notes https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
Third Party Advisory https://pkg.go.dev/vuln/GO-2024-2888
https://security.netapp.com/advisory/ntap-20250131-0008/
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal