CVE-2022-24675

Public on 2022-04-20

Modified on 2023-01-27

Description

A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB) ), causing a stack overflow in Decode, which leads to a loss of availability.

Severity

Medium

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	amazon-ssm-agent	2022-07-06	ALAS2-2022-1807	Fixed
Amazon Linux 2 - Core	go-rpm-macros	2022-10-17	ALAS2-2022-1863	Fixed
Amazon Linux 1	golang	2022-09-15	ALAS-2022-1635	Fixed
Amazon Linux 2 - Core	golang	2022-07-28	ALAS2-2022-1830	Fixed
Amazon Linux 2 - Core	golang	2022-09-15	ALAS2-2022-1846	Fixed
Amazon Linux 2 - Golang1.19 Extra	golang	2023-08-07	ALAS2GOLANG1.19-2023-002	Fixed
Amazon Linux 2023	golang	2023-02-17	ALAS2023-2023-048	Fixed
Amazon Linux 2023	golang-github-cpuguy83-md2man	2023-02-17	ALAS2023-2023-047	Fixed
Amazon Linux 2 - Core	golang-github-godbus-dbus	2022-10-17	ALAS2-2022-1858	Fixed
Amazon Linux 2 - Core	golang-github-gorilla-context	2022-10-17	ALAS2-2022-1859	Fixed
Amazon Linux 2 - Core	golang-github-gorilla-mux	2022-10-17	ALAS2-2022-1860	Fixed
Amazon Linux 2 - Core	golang-github-kr-pty	2022-10-17	ALAS2-2022-1864	Fixed
Amazon Linux 2 - Core	golang-github-syndtr-gocapability	2022-10-17	ALAS2-2022-1865	Fixed
Amazon Linux 2 - Core	golang-googlecode-net	2022-10-17	ALAS2-2022-1861	Fixed
Amazon Linux 2 - Core	golang-googlecode-sqlite	2022-10-17	ALAS2-2022-1862	Fixed
Amazon Linux 2 - Core	golist	2022-09-15	ALAS2-2022-1847	Fixed
Amazon Linux 2023	golist	2023-02-17	ALAS2023-2023-046	Fixed
Amazon Linux 2 - Docker Extra	runc	2022-09-30	ALAS2DOCKER-2022-020	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2022-24675 Mitre: CVE-2022-24675