The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Affected component
The vulnerability is in pkg:golang/stdlib@1.22.3, detected by the container-scanning scan.
Recommended fix
Upgrade to version 1.22.4 or later.
Risk: 3.35 (Low)
EPSS: 0.04 %
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
Exploit: Not available
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
Vulnerability Depth: 1
The vulnerability is in a direct dependency of your project.
CVSS-BE: 7.3
Exploiting this vulnerability significantly impacts integrity.
CVSS-B: 5.5
The vulnerability requires local access to the device to be exploited.
It is easy for an attacker to exploit this vulnerability.
An attacker needs basic access or low-level privileges.
No user interaction is needed for the attacker to exploit this vulnerability.
The impact is confined to the system where the vulnerability exists.
There is a high impact on the integrity of the data.
CVE-2024-24789
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
Affected component
The vulnerability is in
pkg:golang/stdlib@1.22.3
, detected by thecontainer-scanning
scan.Recommended fix
Upgrade to version 1.22.4 or later.
Risk:
3.35 (Low)
EPSS:
0.04 %
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
Exploit:
Not available
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
Vulnerability Depth:
1
The vulnerability is in a direct dependency of your project.
CVSS-BE:
7.3
CVSS-B:
5.5
More details can be found in DevGuard
Same - just update