UBUNTU-CVE-2024-37298

Source
https://ubuntu.com/security/CVE-2024-37298
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-37298.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-37298
Related
Published
2024-07-01T19:15:00Z
Modified
2024-10-15T14:15:00Z
Summary
[none]
Details

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

References

Affected packages

Ubuntu:24.10 / golang-github-gorilla-schema

Package

Name
golang-github-gorilla-schema
Purl
pkg:deb/ubuntu/golang-github-gorilla-schema?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.0-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / golang-github-gorilla-schema

Package

Name
golang-github-gorilla-schema
Purl
pkg:deb/ubuntu/golang-github-gorilla-schema?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.0-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}