Skip to main content
Version: latest

CVE-2024-24790

CVE Details

Visit the official vulnerability details page for CVE-2024-24790 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

go

NIST CVE Summary

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE Severity

9.8

Our Official Summary

This vulnerability is reported on some of the third party components. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.

This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. We will upgrade the images when the fixes are available from the upstream vendors.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/09/2024Official summary revised: This vulnerability is reported on some of the third party components. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. We will upgrade the images when the fixes are available from the upstream vendors.
11/19/2024Status changed from Open to Ongoing
11/19/2024Official summary revised: This vulnerability is reported on some of the third party components. This risk of exploitation for our products is very low. It requires attackers to execute code in the local context and requires privileged access. CVE flaw analysis reported by golang, states this function returns wrong information in some instances, and really doesnt compromise availability or confidentiality.We will upgrade the images when the fixes are available from the upstream vendors.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5