Описание
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Отчет
This vulnerability in Go's encoding/gob package is of high severity because it exposes applications to potential Denial of Service (DoS) attacks through stack exhaustion. Since gob relies on recursive function calls to decode nested structures, an attacker could exploit this by sending crafted messages with excessively deep nesting, causing the application to panic due to stack overflow. This risk is particularly important in scenarios where untrusted or external input is processed, as it can lead to system unavailability or crashes, undermining the reliability and availability of services.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-waiters-rhel8 | Will not fix | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Affected | ||
| Migration Toolkit for Applications 7 | mta/mta-hub-rhel9 | Will not fix | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-api-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hive-rhel8 | Affected | ||
| Node Maintenance Operator | workload-availability/node-maintenance-rhel8-operator | Will not fix | ||
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Will not fix | ||
| OpenShift Serverless | openshift-serverless-clients | Will not fix | ||
| OpenShift Service Mesh 2 | openshift-golang-builder-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/subctl-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Calling Decoder.Decode on a message which contains deeply nested struc ...
EPSS
7.5 High
CVSS3