CVE-2023-24535 — Vulnetix

CVE-2023-24535 PUBLISHED CVSS 8.699999809265137 HIGH

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

EPSS 0.39% · 60.6th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.39%

60.6th percentile

Affected Products

Vendor	Product	Versions
google.golang.org/protobuf	google.golang.org/protobuf/internal/encoding/text	1.29.0, 1.29.0
protobuf	protobuf	1.29.0, 1.29.0
google.golang.org	protobuf	1.29.0, 1.29.0
google.golang.org/protobuf	google.golang.org/protobuf/encoding/prototext	1.29.0, 1.29.0

Timeline

Mar 14, 2023 CVE Published
Jun 9, 2023 EPSS Score
Jul 15, 2023 EPSS Score
Aug 19, 2023 EPSS Score
Sep 24, 2023 EPSS Score
Oct 30, 2023 EPSS Score
Dec 4, 2023 EPSS Score
Jan 9, 2024 EPSS Score
Feb 14, 2024 EPSS Score
Apr 25, 2024 EPSS Score
May 31, 2024 EPSS Score
Jul 5, 2024 EPSS Score

References

https://go.dev/cl/475995 url
https://github.com/golang/protobuf/issues/1530 url
https://pkg.go.dev/vuln/GO-2023-1631 url
https://nvd.nist.gov/vuln/detail/CVE-2023-24535 advisory
https://github.com/golang/protobuf package

Open in Interactive Console →