CVE-2024-24790
Misinterpretation of Input (CWE-115)
Summary
The various IP address classification methods (IsPrivate, IsLoopback, etc.) in Go's net package did not work correctly for IPv4-mapped IPv6 addresses, returning false for addresses that should have returned true in their IPv4 form.
Impact
This vulnerability could allow an attacker to bypass network access controls or authorization checks that rely on correct IP address classification. Depending on how applications use these methods, it may lead to unauthorized access, information disclosure, or other security issues. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
Patches are available. Go versions 1.19.2 and 1.18.9 have been released to fix this issue. Applications using affected versions should upgrade. Patch details have been provided by multiple sources including Red Hat, go.dev, and Oracle.
Mitigation
As a workaround until patched versions can be deployed, implement custom IP address classification logic instead of using the vulnerable net package methods. Filter both IPv4 and IPv4-mapped IPv6 addresses. It's crucial to upgrade to the patched versions (Go 1.19.2 or 1.18.9) as soon as possible.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Feedly found the first article mentioning CVE-2024-24790. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-24790
This CVE started to trend in security discussions
EPSS Score was set to: 0.05% (Percentile: 15.2%)
Detection for the vulnerability has been added to Nessus (200209)
This CVE stopped trending in security discussions
Detection for the vulnerability has been added to Qualys (756412)
RedHat CVE advisory released a security advisory (CVE-2024-24790).