CVE-2024-24786: Infinite loop in JSON unmarshaling in google.golang.org/protobuf
First published: Tue Mar 05 2024(Updated: )
Last updated 18 September 2024
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/golang-google-protobuf | <=1.25.0+git20201208.160c747-1<=1.28.1-3 | 1.33.0-1 |
| go/google.golang.org/protobuf/internal/encoding/json | <1.33.0 | 1.33.0 |
| go/google.golang.org/protobuf/encoding/protojson | <1.33.0 | 1.33.0 |
| go/google.golang.org/protobuf | <1.33.0 | 1.33.0 |
| redhat/google.golang.org/protobuf | <1.33.0 | 1.33.0 |
| F5 BIG-IP Next Central Manager | >=20.2.0<=20.2.1 | |
| F5 BIG-IP Next | >=1.7.0<=1.9.2 | |
| F5 BIG-IP Next | >=1.1.0<=1.3.1 | |
| F5 F5OS-A | =1.7.0>=1.5.1<=1.5.2 | |
| F5 F5OS-C | >=1.6.0<=1.6.2 | |
| IBM Data Virtualization on Cloud Pak for Data | <=3.0 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.2 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.1 | |
| IBM Watson Query with Cloud Pak for Data as a Service | <=2.0 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.8 | |
| IBM Data Virtualization on Cloud Pak for Data | <=1.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go-review.googlesource.com/c/protobuf/+/569356
- https://security-tracker.debian.org/tracker/CVE-2024-24786
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU/
- https://go.dev/cl/569356
- https://pkg.go.dev/vuln/GO-2024-2611
- http://www.openwall.com/lists/oss-security/2024/03/08/4
- https://security.netapp.com/advisory/ntap-20240517-0002/
- https://launchpad.net/bugs/cve/CVE-2024-24786
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24786
- https://nvd.nist.gov/vuln/detail/CVE-2024-24786
- https://ubuntu.com/security/CVE-2024-24786
- https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
- https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
- https://security.netapp.com/advisory/ntap-20240517-0002
- https://github.com/advisories/GHSA-8r3f-844c-mc37 (Advisory)
- https://github.com/golang/protobuf/issues/1596
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2268046#c0
- https://access.redhat.com/errata/RHSA-2024:1363
- https://access.redhat.com/errata/RHSA-2024:1362
- https://access.redhat.com/errata/RHSA-2024:1456
- https://access.redhat.com/errata/RHSA-2024:1461
- https://access.redhat.com/errata/RHSA-2024:1507
- https://access.redhat.com/errata/RHSA-2024:1508
- https://access.redhat.com/errata/RHSA-2024:1474
- https://access.redhat.com/errata/RHSA-2024:1537
- https://access.redhat.com/errata/RHSA-2024:1538
- https://access.redhat.com/errata/RHSA-2024:1559
- https://access.redhat.com/errata/RHSA-2024:1563
- https://access.redhat.com/errata/RHSA-2024:1574
- https://access.redhat.com/errata/RHSA-2024:1665
- https://access.redhat.com/errata/RHSA-2024:1795
- https://access.redhat.com/errata/RHSA-2024:1859
- https://access.redhat.com/errata/RHSA-2024:1874
- https://access.redhat.com/errata/RHSA-2024:1925
- https://access.redhat.com/errata/RHSA-2024:2549
- https://access.redhat.com/errata/RHSA-2024:2639
- https://access.redhat.com/errata/RHSA-2024:2666
- https://access.redhat.com/errata/RHSA-2024:2773
- https://access.redhat.com/errata/RHSA-2024:2781
- https://access.redhat.com/errata/RHSA-2024:3254
- https://access.redhat.com/errata/RHSA-2024:2874
- https://access.redhat.com/errata/RHSA-2024:3316
- https://access.redhat.com/errata/RHSA-2024:3621
- https://access.redhat.com/errata/RHSA-2024:3636
- https://access.redhat.com/errata/RHSA-2024:3634
- https://access.redhat.com/errata/RHSA-2024:3635
- https://access.redhat.com/errata/RHSA-2024:3683
- https://access.redhat.com/errata/RHSA-2024:3715
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2291459
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2291460
- https://access.redhat.com/errata/RHSA-2024:3868
- https://access.redhat.com/errata/RHSA-2024:4028
- https://access.redhat.com/errata/RHSA-2024:0040
- https://access.redhat.com/errata/RHSA-2024:0041
- https://access.redhat.com/errata/RHSA-2024:4163
- https://access.redhat.com/errata/RHSA-2024:0045
- https://access.redhat.com/errata/RHSA-2024:0043
- https://access.redhat.com/errata/RHSA-2024:1616
- https://access.redhat.com/errata/RHSA-2024:3637
- https://access.redhat.com/errata/RHSA-2024:3617
- https://access.redhat.com/errata/RHSA-2024:4246
- https://access.redhat.com/errata/RHSA-2024:4150
- https://access.redhat.com/errata/RHSA-2024:4455
- https://access.redhat.com/errata/RHSA-2024:4591
- https://access.redhat.com/errata/RHSA-2024:4597
- https://access.redhat.com/errata/RHSA-2024:4626
- https://access.redhat.com/errata/RHSA-2024:5054
- https://access.redhat.com/errata/RHSA-2024:5422
- https://access.redhat.com/errata/RHSA-2024:6221
- https://access.redhat.com/errata/RHSA-2024:6004
- https://access.redhat.com/errata/RHSA-2024:6409
- https://access.redhat.com/errata/RHSA-2024:6824
- https://access.redhat.com/errata/RHSA-2024:3717
- https://access.redhat.com/errata/RHSA-2024:3718
- https://access.redhat.com/errata/RHSA-2024:7184
- https://access.redhat.com/errata/RHSA-2024:8040
- https://access.redhat.com/errata/RHSA-2024:7548
- https://access.redhat.com/errata/RHSA-2024:7922
- https://access.redhat.com/errata/RHSA-2024:8434
- https://access.redhat.com/errata/RHSA-2024:8415
- https://access.redhat.com/errata/RHSA-2024:8676
- https://access.redhat.com/errata/RHSA-2024:9615
- https://access.redhat.com/errata/RHSA-2024:10147
- https://access.redhat.com/errata/RHSA-2024:8704
- https://access.redhat.com/errata/RHSA-2025:0664
- https://access.redhat.com/errata/RHSA-2025:0654
- https://bugzilla.redhat.com/show_bug.cgi?id=2268046
- https://www.ibm.com/support/pages/node/7183851 (Advisory)
- https://my.f5.com/manage/s/article/K000141024
Frequently Asked Questions
What is the severity of CVE-2024-24786?
CVE-2024-24786 is categorized as a denial of service vulnerability due to an infinite loop flaw in the rotojson.Unmarshal function.
How do I fix CVE-2024-24786?
To fix CVE-2024-24786, update the affected software packages to version 1.33.0 or later.
What software is affected by CVE-2024-24786?
CVE-2024-24786 affects the golang-google-protobuf package and certain versions of F5 and IBM products.
Can CVE-2024-24786 be exploited remotely?
Yes, CVE-2024-24786 can be exploited remotely by sending specially crafted requests that trigger the infinite loop.
What impact does CVE-2024-24786 have on systems?
The impact of CVE-2024-24786 is that it can cause a denial of service, potentially rendering the affected service unresponsive.
- agent/title
- agent/type
- agent/weakness
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/first-publish-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8r3f-844c-mc37
- alias/CVE-2024-24786
- agent/severity
- collector/nvd-cve
- collector/github-advisory
- agent/description
- agent/trending
- agent/source
- collector/redhat-bugzilla
- source/Red Hat
- collector/f5-advisory
- source/F5
- agent/software-canonical-lookup-request
- agent/last-modified-date
- agent/references
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- package-manager/debian
- package-manager/go
- package-manager/redhat
- vendor/f5
- canonical/f5 big-ip next central manager
- version/f5 big-ip next central manager/20.2.0
- version/f5 big-ip next central manager/20.2.1
- canonical/f5 big-ip next
- version/f5 big-ip next/1.7.0
- version/f5 big-ip next/1.9.2
- version/f5 big-ip next/1.1.0
- version/f5 big-ip next/1.3.1
- canonical/f5 f5os-a
- version/f5 f5os-a/1.7.0
- version/f5 f5os-a/1.5.1
- version/f5 f5os-a/1.5.2
- canonical/f5 f5os-c
- version/f5 f5os-c/1.6.0
- version/f5 f5os-c/1.6.2
- vendor/ibm
- canonical/ibm data virtualization on cloud pak for data
- version/ibm data virtualization on cloud pak for data/3.0
- canonical/ibm watson query with cloud pak for data as a service
- version/ibm watson query with cloud pak for data as a service/2.2
- version/ibm watson query with cloud pak for data as a service/2.1
- version/ibm watson query with cloud pak for data as a service/2.0
- version/ibm data virtualization on cloud pak for data/1.8
- version/ibm data virtualization on cloud pak for data/1.7