Skip to main content
Version: latest

CVE-2024-24790

CVE Details

Visit the official vulnerability details page for CVE-2024-24790 to learn more.

Initial Publication

10/25/2024

Last Update

02/28/2025

Third Party Dependency

go

NIST CVE Summary

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE Severity

9.8

Our Official Summary

This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a network without user interaction and has very low attack complexity. Not all of the images affected use the specific function affected.

Exploiting this vulnerability in Palette deployments will require an external user to compromise the network controls and gain privileged access. There are controls in place which makes the exploitation difficult. Fix is available in libexpat versions > 2.6.3. Once the fixed version of the library is adoped by 3rd party images, we will incorporate those in our products.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.7✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.6.6✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.22✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.21✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.20✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.15✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
02/25/2025Official summary revised: This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a network without user interaction and has very low attack complexity. Not all of the images affected use the specific function affected. Exploiting this vulnerability in Palette deployments will require an external user to compromise the network controls and gain privileged access. There are controls in place which makes the exploitation difficult. Fix is available in libexpat versions > 2.6.3. Once the fixed version of the library is adoped by 3rd party images, we will incorporate those in our products.
02/21/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21, 4.5.22, 4.6.6 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21, 4.5.22, 4.6.6, 4.6.7
02/17/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21, 4.5.22 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21, 4.5.22, 4.6.6
02/14/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21, 4.5.22
02/13/2025Official summary revised: This vulnerability is reported on some of the 3rd party csi images and coredns image from k8s. This CVE is of low risk for our products a network-based attack vector is simply impossible when it comes to golang code, apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability. We will upgrade the images when the fixes are available from the upstream vendors.
02/05/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20, 4.5.21
01/20/2025Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15, 4.5.20
01/14/2025Advisory severity revised to CRITICAL from HIGH
01/14/2025Advisory is now impacting.
01/11/2025Advisory severity revised to HIGH from CRITICAL
01/11/2025Advisory is no longer impacting.
01/11/2025Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/09/2024Official summary revised: This vulnerability is reported on some of the third party components. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. We will upgrade the images when the fixes are available from the upstream vendors.
12/09/2024Official summary revised: This vulnerability is reported on some of the third party components. This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.We will upgrade the images when the fixes are available from the upstream vendors.
12/05/2024Advisory severity revised to CRITICAL from HIGH
12/04/2024Advisory severity revised to HIGH from CRITICAL
11/25/2024Official summary revised: This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, specifically in thedtdCopy function of xmlparse.c on 32-bit platforms. This vulnerability can be exploited over a network without userinteraction and has very low attack complexity. Not all of the images affected use the specific function affected.Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix isavailable in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images.
11/25/2024Official summary revised: This vulnerability is reported on some of the 3rd party csi images and coredns image from k8s. This CVE is of low risk for our products a network-based attack vector is simply impossible when it comes to golang code, apart from that as per CVE flaw analysis reported by golang, this only has very limited effect on integrity and confidentiality and has no effect on availability. In order to exploit this, attacker need to get privilged access to the platform where these containers are running.
11/25/2024Official summary revised: This vulnerability is reported on some of the 3rd party csi images and coredns image from k8s. This CVE is of low risk for our products a network-based attack vector is simply impossible when it comes to golang code, apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability. In order to exploit this, attacker need to get privilged access to the platform where these containers are running.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5