CVE-2024-24790
CVE Details
Visit the official vulnerability details page for CVE-2024-24790 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
go
NIST CVE Summary
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE Severity
Our Official Summary
This vulnerability is reported on some of the third party components. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.
This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. We will upgrade the images when the fixes are available from the upstream vendors.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.5 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.4 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/09/2024 | Official summary revised: This vulnerability is reported on some of the third party components. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. We will upgrade the images when the fixes are available from the upstream vendors. |
| 12/09/2024 | Official summary revised: This vulnerability is reported on some of the third party components. This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.We will upgrade the images when the fixes are available from the upstream vendors. |
| 12/05/2024 | Advisory severity revised to CRITICAL from HIGH |
| 12/04/2024 | Advisory severity revised to HIGH from CRITICAL |
| 11/25/2024 | Official summary revised: This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, specifically in thedtdCopy function of xmlparse.c on 32-bit platforms. This vulnerability can be exploited over a network without userinteraction and has very low attack complexity. Not all of the images affected use the specific function affected.Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix isavailable in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images. |
| 11/25/2024 | Official summary revised: This vulnerability is reported on some of the 3rd party csi images and coredns image from k8s. This CVE is of low risk for our products a network-based attack vector is simply impossible when it comes to golang code, apart from that as per CVE flaw analysis reported by golang, this only has very limited effect on integrity and confidentiality and has no effect on availability. In order to exploit this, attacker need to get privilged access to the platform where these containers are running. |
| 11/25/2024 | Official summary revised: This vulnerability is reported on some of the 3rd party csi images and coredns image from k8s. This CVE is of low risk for our products a network-based attack vector is simply impossible when it comes to golang code, apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability. In order to exploit this, attacker need to get privilged access to the platform where these containers are running. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |