QwikSec

Security Database

CVE

CWE

Training

CVE-2024-24789

Published: Jun 5, 2024

Modified: Feb 13, 2025

PUBLISHED

Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

Vendor	Product	Versions
Go standard library	archive/zip	affected `0 - < 1.21.11` affected `1.22.0-0 - < 1.22.4`

References

https://go.dev/cl/585397

https://go.dev/issue/66869

https://groups.google.com/g/golang-announce/c/XbxouI9gY7k/m/TuoGEhxIEwAJ

https://pkg.go.dev/vuln/GO-2024-2888

http://www.openwall.com/lists/oss-security/2024/06/04/1

https://lists.fedoraproject.org/archives/list/[email protected]/message/U5YAEIA6IUHUNGJ7AIXXPQT6D2GYENX7/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.