First published: Fri Sep 06 2024(Updated: )
Calling Decoder.Decode on a message which contains deeply nested struc ...
Credit: security@golang.org security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Rational Team Concert | <=1.0.0, 1.0.1, 1.0.2, 1.0.2.1, 1.0.3 | |
debian/golang-1.15 | <=1.15.15-1~deb11u4 | |
debian/golang-1.19 | <=1.19.8-2 | |
debian/golang-1.23 | 1.23.7-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-34156 is considered to be a medium severity vulnerability due to its potential to cause application crashes.
To remediate CVE-2024-34156, upgrade to golang-1.22 version 1.22.11-1 or golang-1.23 version 1.23.5-1.
CVE-2024-34156 affects IBM Concert Software versions up to 1.0.3 and specific versions of golang in Debian.
Mitigation can be achieved by limiting the depth of nested structures in messages processed by Decoder.Decode.
Yes, CVE-2024-34156 is a follow-up to CVE-2022-30635, relating to similar stack exhaustion issues.