CVE-2024-1394

CVSS V2 None CVSS V3 None
Description
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs​. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey​ and ctx​. That function uses named return parameters to free pkey​ and ctx​ if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey​ and ctx​ will be nil inside the deferred function that should free them.
Overview
  • CVE ID
  • CVE-2024-1394
  • Assigner
  • redhat
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-03-21T12:16:38.790Z
  • Last Modified Date
  • 2024-06-11T20:17:11.716Z
Weakness Enumerations
CWE URL
CWE-401 http://cwe.mitre.org/data/definitions/401.html
References
Reference URL Reference Tags
https://access.redhat.com/errata/RHSA-2024:1462 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1468 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1472 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1501 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1502 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1561 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1563 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1566 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1567 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1574 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1640 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1644 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1646 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1763 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1897 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2562 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2568 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2569 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2729 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2730 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2767 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3265 vendor-advisory x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-1394 vdb-entry x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2262921 issue-tracking x_refsource_REDHAT
https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136
https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6
https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f
https://pkg.go.dev/vuln/GO-2024-2660
https://vuln.go.dev/ID/GO-2024-2660.json
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2024-1394
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1394
History
Created Old Value New Value Data Type Notes
2024-06-26 05:58:54 Added to TrackCVE