CVE-2024-24790
CVE Details
Visit the official vulnerability details page for CVE-2024-24790 to learn more.
Initial Publication
10/25/2024
Last Update
09/02/2025
Third Party Dependency
go
NIST CVE Summary
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE Severity
Our Official Summary
This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a network without user interaction and has very low attack complexity. Not all of the images affected use the specific function affected.
Exploiting this vulnerability in Palette deployments will require an external user to compromise the network controls and gain privileged access. There are controls in place which makes the exploitation difficult. Fix is available in libexpat versions > 2.6.3. Once the fixed version of the library is adoped by 3rd party images, we will incorporate those in our products.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact |
| 4.5.22 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact |
Revision History
No revisions available.