Описание
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
A flaw was found in the Go language standard library net/netip. The method Is*() (IsPrivate(), IsPublic(), etc) doesn't behave properly when working with IPv6 mapped to IPv4 addresses. The unexpected behavior can lead to integrity and confidentiality issues, specifically when these methods are used to control access to resources or data.
Отчет
This CVE has been marked as moderate as for our products a network-based attack vector is simply impossible when it comes to golang code,apart from that as per CVE flaw analysis reported by golang, this only affects integrity and confidentiality and has no effect on availability, hence CVSS has been marked as such. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-115: Misinterpretation of Input vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Controls such as input validation and error handling mitigate input misinterpretation risks by enforcing strict validation rules and secure error management. Error handling ensures inputs are validated against predefined formats, preventing malformed data from being misinterpreted. Techniques like strong typing, allow listing, and proper encoding reduce the likelihood of injection attacks and unintended code execution. Input validation also ensures that errors do not expose sensitive system details or cause unpredictable behavior. Secure error handling prevents information leakage through detailed error messages while preserving system stability under malformed input conditions. Together, these controls reduce the attack surface by maintaining consistent input processing and preventing exploitable system states, strengthening the overall security posture.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-waiters-rhel8 | Will not fix | ||
| Cryostat 2 | cryostat-tech-preview/cryostat-rhel8-operator | Affected | ||
| Fence Agents Remediation Operator | workload-availability/fence-agents-remediation-rhel8-operator | Will not fix | ||
| Logical Volume Manager Storage | lvms4/topolvm-rhel9 | Affected | ||
| Machine Deletion Remediation Operator | workload-availability/machine-deletion-remediation-rhel8-operator | Affected | ||
| Migration Toolkit for Applications 6 | mta/mta-hub-rhel8 | Will not fix | ||
| Migration Toolkit for Applications 7 | mta/mta-cli-rhel9 | Will not fix | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-api-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel8 | Not affected | ||
| NBDE Tang Server | tang-operator-container | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.7 Medium
CVSS3
Связанные уязвимости
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex ...
EPSS
6.7 Medium
CVSS3