Skip to main content
Version: latest

CVE-2024-24790

CVE Details

Visit the official vulnerability details page for CVE-2024-24790 to learn more.

Initial Publication

10/25/2024

Last Update

09/02/2025

Third Party Dependency

go

NIST CVE Summary

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE Severity

9.8

Our Official Summary

This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a network without user interaction and has very low attack complexity. Not all of the images affected use the specific function affected.

Exploiting this vulnerability in Palette deployments will require an external user to compromise the network controls and gain privileged access. There are controls in place which makes the exploitation difficult. Fix is available in libexpat versions > 2.6.3. Once the fixed version of the library is adoped by 3rd party images, we will incorporate those in our products.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.6.41⚠️ Impacted⚠️ Impacted⚠️ Impacted✅ No Impact
4.5.22⚠️ Impacted⚠️ Impacted⚠️ Impacted✅ No Impact
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted✅ No Impact

Revision History

No revisions available.