CVE-2024-24790
Publication date 5 June 2024
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Status
Package | Ubuntu Release | Status |
---|---|---|
golang-1.10 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty |
Needs evaluation
|
|
golang-1.13 | 24.04 LTS noble | Not in release |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
golang-1.14 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal |
Needs evaluation
|
|
golang-1.16 | 24.04 LTS noble | Not in release |
22.04 LTS jammy | Not in release | |
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
golang-1.17 | 24.04 LTS noble | Not in release |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal | Not in release | |
golang-1.18 | 24.04 LTS noble | Not in release |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
golang-1.20 | 24.04 LTS noble | Not in release |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
golang-1.21 | 24.04 LTS noble |
Fixed 1.21.9-1ubuntu0.1
|
22.04 LTS jammy |
Fixed 1.21.1-1~ubuntu22.04.3
|
|
20.04 LTS focal |
Fixed 1.21.1-1~ubuntu20.04.3
|
|
golang-1.22 | 24.04 LTS noble |
Fixed 1.22.2-2ubuntu0.1
|
22.04 LTS jammy |
Fixed 1.22.2-2~22.04.1
|
|
20.04 LTS focal |
Fixed 1.22.2-2~20.04.1
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 · Critical |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6886-1
- Go vulnerabilities
- 9 July 2024
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-24790
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
- https://github.com/golang/go/issues/67680
- https://go.dev/cl/590316
- https://go.dev/issue/67680
- https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ
- https://pkg.go.dev/vuln/GO-2024-2887
- https://github.com/golang/go/commit/12d5810cdb1f73cf23d7a86462143e9463317fca (1.22)
- https://github.com/golang/go/commit/051bdf3fd12a40307606ff9381138039c5f452f0 (1.21)