CVE-2022-24921

Public on 2022-03-05

Modified on 2023-12-18

Description

A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.

Severity

Important

CVSS v3 Base Score

7.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Core	amazon-cloudwatch-agent			Not Affected
Amazon Linux 2 - Core	amazon-ecr-credential-helper			Not Affected
Amazon Linux 2 - Core	amazon-ssm-agent			Not Affected
Amazon Linux 2 - Core	cni-plugins			Not Affected
Amazon Linux 1	containerd			Not Affected
Amazon Linux 2 - Core	containerd			Not Affected
Amazon Linux 2 - Core	cri-tools			Not Affected
Amazon Linux 1	docker			Not Affected
Amazon Linux 2 - Core	docker			Not Affected
Amazon Linux 1	ecs-init			Not Affected
Amazon Linux 2 - Core	ecs-init			Not Affected
Amazon Linux 1	golang	2022-09-15	ALAS-2022-1635	Fixed
Amazon Linux 2 - Core	golang	2022-04-25	ALAS2-2022-1776	Fixed
Amazon Linux 2 - Core	golang	2022-07-06	ALAS2-2022-1811	Fixed
Amazon Linux 2 - Core	golang	2022-07-28	ALAS2-2022-1830	Fixed
Amazon Linux 2023	golang	2023-02-17	ALAS2023-2023-048	Fixed
Amazon Linux 1	golist			Not Affected
Amazon Linux 2 - Core	golist			Not Affected
Amazon Linux 2 - Core	nerdctl			Not Affected
Amazon Linux 2 - Core	oci-add-hooks			Not Affected
Amazon Linux 2 - Core	rclone			Not Affected
Amazon Linux 1	runc			Not Affected
Amazon Linux 2 - Core	runc			Not Affected

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	5.0	AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD	CVSSv3	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2022-24921 Mitre: CVE-2022-24921