CVE-2024-1394

{"id": "CVE-2024-1394", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-03-21T13:00:08.037", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1462", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1468", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1472", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1501", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1502", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1561", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1563", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1566", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1567", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1574", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1640", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1644", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1646", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1763", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:1897", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1394", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262921", "source": "secalert@redhat.com"}, {"url": "https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136", "source": "secalert@redhat.com"}, {"url": "https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6", "source": "secalert@redhat.com"}, {"url": "https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f", "source": "secalert@redhat.com"}, {"url": "https://pkg.go.dev/vuln/GO-2024-2660", "source": "secalert@redhat.com"}, {"url": "https://vuln.go.dev/ID/GO-2024-2660.json", "source": "secalert@redhat.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs\u200b. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey\u200b and ctx\u200b. That function uses named return parameters to free pkey\u200b and ctx\u200b if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the \"return nil, nil, fail(...)\" pattern, meaning that pkey\u200b and ctx\u200b will be nil inside the deferred function that should free them."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de p\u00e9rdida de memoria en Golang en el c\u00f3digo de cifrado/descifrado RSA, lo que podr\u00eda conducir a una vulnerabilidad de agotamiento de recursos mediante entradas controladas por el atacante. La p\u00e9rdida de memoria ocurre en github.com/golang-fips/openssl/openssl/rsa.go#L113. Los objetos filtrados son pkey? y ctx?. Esa funci\u00f3n utiliza par\u00e1metros de retorno con nombre para liberar pkey? y ctx? si hay un error al inicializar el contexto o al configurar las diferentes propiedades. Todas las declaraciones de devoluci\u00f3n relacionadas con casos de error siguen el patr\u00f3n \"return nil, nil, fail(...)\", lo que significa que pkey? y ctx? ser\u00e1n nulos dentro de la funci\u00f3n diferida que deber\u00eda liberarlos."}], "lastModified": "2024-04-27T01:15:06.083", "sourceIdentifier": "secalert@redhat.com"}