CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

[jacobwoffenden]

Our image scanning pipeline has detected a critical CVE in public.ecr.aws/lambda/python:3.12@sha256:91ed051a27a1e27729351258358dfdf6622af136aeb50bd75d3bbf6ab790afdd

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 1 (CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

https://avd.aquasec.com/nvd/2024/cve-2024-24790/

[shg95]

@jacobwoffenden , any work around you have done here?

[jacobwoffenden]

@shg95 no, but a new release was made https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/tag/v1.20 which addresses this, hoping a new build will be published soon, will raise with our TAM if not

[Gary-H9]

👋 A new build was published yesterday.

We've recreated our dependabot PR and they now pass our image scanning pipeline.