Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses #166

Closed
jacobwoffenden opened this issue Jun 19, 2024 · 3 comments
Closed

CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses #166

jacobwoffenden opened this issue Jun 19, 2024 · 3 comments

Comments

@jacobwoffenden
Copy link

jacobwoffenden commented Jun 19, 2024
edited
Loading

Our image scanning pipeline has detected a critical CVE in public.ecr.aws/lambda/python:3.12@sha256:91ed051a27a1e27729351258358dfdf6622af136aeb50bd75d3bbf6ab790afdd

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

https://avd.aquasec.com/nvd/2024/cve-2024-24790/
This was referenced Jun 20, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Merged
@shg95
Copy link

shg95 commented Jun 21, 2024

@jacobwoffenden , any work around you have done here?

@jamesstottmoj jamesstottmoj mentioned this issue Jun 21, 2024
Closed
@jacobwoffenden
Copy link
Author

@shg95 no, but a new release was made https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.20 which addresses this, hoping a new build will be published soon, will raise with our TAM if not

@Gary-H9
Copy link

Gary-H9 commented Jun 28, 2024
edited
Loading

👋 A new build was published yesterday.

We've recreated our dependabot PR and they now pass our image scanning pipeline.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacobwoffenden @Gary-H9 @shg95