CVE-2024-37298

2024-07-0119:15:04

CWE-770

GitHub_M

web.nvd.nist.gov

gorilla/schema

memory exhaustion

vulnerability fix

version 1.4.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

Percentile

15.7%

JSON

gorilla/schema converts structs to and from form values. Prior to version 1.4.1 Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. Version 1.4.1 contains a patch for the issue.

Affected configurations

Vulners

Vulnrichment

Node

gorillaschemaRange<1.4.1

VendorProductVersionCPE
gorillaschema*cpe:2.3:a:gorilla:schema:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gorilla	schema	*	cpe:2.3:a:gorilla:schema::::::::

CNA Affected

[
  {
    "vendor": "gorilla",
    "product": "schema",
    "versions": [
      {
        "version": "< 1.4.1",
        "status": "affected"
      }
    ]
  }
]