CVE-2024-37298 Common Vulnerabilities and Exposures

Upstream information

CVE-2024-37298 at MITRE

Description

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

SUSE Bugzilla entry: 1227309 [NEW]

SUSE Security Advisories:

RHSA-2024:6194, published Thu Sep 12 08:51:13 UTC 2024

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Liberty Linux 8	`aardvark-dns >= 1.10.0-1.module+el8.10.0+22202+761b9a65` `buildah >= 1.33.8-4.module+el8.10.0+22202+761b9a65` `buildah-tests >= 1.33.8-4.module+el8.10.0+22202+761b9a65` `cockpit-podman >= 84.1-1.module+el8.10.0+22202+761b9a65` `conmon >= 2.1.10-1.module+el8.10.0+22202+761b9a65` `container-selinux >= 2.229.0-2.module+el8.10.0+22202+761b9a65` `containernetworking-plugins >= 1.4.0-5.module+el8.10.0+22202+761b9a65` `containers-common >= 1-82.module+el8.10.0+22202+761b9a65` `crit >= 3.18-5.module+el8.10.0+22202+761b9a65` `criu >= 3.18-5.module+el8.10.0+22202+761b9a65` `criu-devel >= 3.18-5.module+el8.10.0+22202+761b9a65` `criu-libs >= 3.18-5.module+el8.10.0+22202+761b9a65` `crun >= 1.14.3-2.module+el8.10.0+22202+761b9a65` `fuse-overlayfs >= 1.13-1.module+el8.10.0+22202+761b9a65` `libslirp >= 4.4.0-2.module+el8.10.0+22202+761b9a65` `libslirp-devel >= 4.4.0-2.module+el8.10.0+22202+761b9a65` `netavark >= 1.10.3-1.module+el8.10.0+22202+761b9a65` `oci-seccomp-bpf-hook >= 1.2.10-1.module+el8.10.0+22202+761b9a65` `podman >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-catatonit >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-docker >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-gvproxy >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-plugins >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-remote >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `podman-tests >= 4.9.4-12.module+el8.10.0+22202+761b9a65` `python3-criu >= 3.18-5.module+el8.10.0+22202+761b9a65` `python3-podman >= 4.9.0-2.module+el8.10.0+22202+761b9a65` `runc >= 1.1.12-4.module+el8.10.0+22202+761b9a65` `skopeo >= 1.14.5-3.module+el8.10.0+22202+761b9a65` `skopeo-tests >= 1.14.5-3.module+el8.10.0+22202+761b9a65` `slirp4netns >= 1.2.3-1.module+el8.10.0+22202+761b9a65` `toolbox >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65` `toolbox-tests >= 0.0.99.5-2.module+el8.10.0+22202+761b9a65` `udica >= 0.2.6-21.module+el8.10.0+22202+761b9a65`	Patchnames: RHSA-2024:5258
SUSE Liberty Linux 9	`podman >= 4.9.4-10.el9_4` `podman-docker >= 4.9.4-10.el9_4` `podman-plugins >= 4.9.4-10.el9_4` `podman-remote >= 4.9.4-10.el9_4` `podman-tests >= 4.9.4-10.el9_4`	Patchnames: RHSA-2024:6194

SUSE Timeline for this CVE

CVE page created: Mon Jul 1 22:00:57 2024
CVE page last modified: Thu Sep 26 13:49:09 2024