CVE-2024-24789: Mishandling of corrupt central directory record in archive/zip
First published: Tue Jun 04 2024(Updated: )
Last updated 14 November 2024
Credit: security@golang.org security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/go | <1.22.4 | 1.22.4 |
| redhat/go | <1.21.11 | 1.21.11 |
| debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
| debian/golang-1.19 | <=1.19.8-2 | |
| debian/golang-1.22 | 1.22.12-3 | |
| Golang | <1.21.11 | |
| Golang | >=1.22.0<1.22.4 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/
- https://go.dev/cl/585397
- https://go.dev/issue/66869
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2888
- http://www.openwall.com/lists/oss-security/2024/06/04/1
- https://launchpad.net/bugs/cve/CVE-2024-24789
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24789
- https://nvd.nist.gov/vuln/detail/CVE-2024-24789
- https://security-tracker.debian.org/tracker/CVE-2024-24789
- https://ubuntu.com/security/CVE-2024-24789
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292677
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292678
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292679
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292680
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292681
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292682
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292670
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292669
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292683
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292684
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292685
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292686
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292687
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292688
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292689
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292690
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292691
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292692
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292693
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292694
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292695
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292696
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292697
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292698
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292700
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292701
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292702
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292703
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292704
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292705
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292706
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292707
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292708
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292709
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292710
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292711
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292712
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292671
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292713
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292714
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292672
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292715
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292716
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292673
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292717
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292674
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292718
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292675
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292719
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292676
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292720
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292721
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292722
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292723
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2292668#c26
- https://access.redhat.com/errata/RHSA-2024:4212
- https://access.redhat.com/errata/RHSA-2024:4237
- https://access.redhat.com/errata/RHSA-2024:4867
- https://access.redhat.com/errata/RHSA-2024:4872
- https://access.redhat.com/errata/RHSA-2024:4982
- https://access.redhat.com/errata/RHSA-2024:4785
- https://access.redhat.com/errata/RHSA-2024:5094
- https://access.redhat.com/errata/RHSA-2024:5258
- https://access.redhat.com/errata/RHSA-2024:5291
- https://access.redhat.com/errata/RHSA-2024:6004
- https://access.redhat.com/errata/RHSA-2024:6755
- https://access.redhat.com/errata/RHSA-2024:3722
- https://access.redhat.com/errata/RHSA-2024:3718
- https://access.redhat.com/errata/RHSA-2024:8676
- https://access.redhat.com/errata/RHSA-2024:9102
- https://access.redhat.com/errata/RHSA-2024:9115
- https://access.redhat.com/errata/RHSA-2024:9583
- https://access.redhat.com/errata/RHSA-2024:10186
- https://access.redhat.com/errata/RHSA-2024:10775
- https://bugzilla.redhat.com/show_bug.cgi?id=2292668
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
- https://github.com/golang/go/issues/66869
- https://security.netapp.com/advisory/ntap-20250131-0008/
Frequently Asked Questions
What is the severity of CVE-2024-24789?
CVE-2024-24789 is considered a moderate severity vulnerability due to its potential for exploitation through malformed zip files.
How can I fix CVE-2024-24789?
To fix CVE-2024-24789, update the Go package to version 1.22.4 or higher for Red Hat and Debian systems wherever applicable.
Which software versions are affected by CVE-2024-24789?
CVE-2024-24789 affects versions of Go prior to 1.22.4, including 1.21.11 for Red Hat and 1.15.15-1~deb11u4 and 1.19.8-2 for Debian.
What type of attacks can CVE-2024-24789 be used for?
CVE-2024-24789 could potentially be exploited to manipulate zip file content rendering inconsistencies based on the underlying ZIP implementation.
What implementations are primarily impacted by CVE-2024-24789?
CVE-2024-24789 primarily impacts the 'archive/zip' package in the Go programming language, differing from behavior in most other ZIP implementations.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-24789
- alias/CVE-2024-24790
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/type
- agent/remedy
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/last-modified-date
- agent/references
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/redhat
- package-manager/debian
- vendor/golang
- canonical/golang
- version/golang/1.22.0