{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34155", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2024-05-01T18:45:34.846Z", "datePublished": "2024-09-06T20:42:42.518Z", "dateUpdated": "2024-09-26T15:03:07.202Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-09-06T20:42:42.518Z"}, "title": "Stack exhaustion in all Parse functions in go/parser", "descriptions": [{"lang": "en", "value": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."}], "affected": [{"vendor": "Go standard library", "product": "go/parser", "collectionURL": "https://pkg.go.dev", "packageName": "go/parser", "versions": [{"version": "0", "lessThan": "1.22.7", "status": "affected", "versionType": "semver"}, {"version": "1.23.0-0", "lessThan": "1.23.1", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "parser.parseLiteralValue"}, {"name": "ParseDir"}, {"name": "ParseExpr"}, {"name": "ParseExprFrom"}, {"name": "ParseFile"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-674: Uncontrolled Recursion"}]}], "references": [{"url": "https://go.dev/cl/611238"}, {"url": "https://go.dev/issue/69138"}, {"url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"}, {"url": "https://pkg.go.dev/vuln/GO-2024-3105"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-09T13:55:36.320331Z", "id": "CVE-2024-34155", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T13:55:46.774Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20240926-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-26T15:03:07.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20240926-0005/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-26T15:03:07.202Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34155", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-09T13:55:36.320331Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T13:55:42.645Z"}}], "cna": {"title": "Stack exhaustion in all Parse functions in go/parser", "affected": [{"vendor": "Go standard library", "product": "go/parser", "versions": [{"status": "affected", "version": "0", "lessThan": "1.22.7", "versionType": "semver"}, {"status": "affected", "version": "1.23.0-0", "lessThan": "1.23.1", "versionType": "semver"}], "packageName": "go/parser", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "parser.parseLiteralValue"}, {"name": "ParseDir"}, {"name": "ParseExpr"}, {"name": "ParseExprFrom"}, {"name": "ParseFile"}]}], "references": [{"url": "https://go.dev/cl/611238"}, {"url": "https://go.dev/issue/69138"}, {"url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"}, {"url": "https://pkg.go.dev/vuln/GO-2024-3105"}], "descriptions": [{"lang": "en", "value": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-09-06T20:42:42.518Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34155", "state": "PUBLISHED", "dateUpdated": "2024-09-26T15:03:07.202Z", "dateReserved": "2024-05-01T18:45:34.846Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2024-09-06T20:42:42.518Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion."}, {"lang": "es", "value": "Llamar a cualquiera de las funciones Parse en el c\u00f3digo fuente de Go que contiene literales profundamente anidados puede provocar p\u00e1nico debido al agotamiento de la pila."}], "id": "CVE-2024-34155", "lastModified": "2024-09-09T13:03:38.303", "metrics": {}, "published": "2024-09-06T21:15:11.947", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/611238"}, {"source": "security@golang.org", "url": "https://go.dev/issue/69138"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2024-3105"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:6908", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8100020240918165244.a3795dee", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-23T00:00:00Z"}, {"advisory": "RHSA-2024:6913", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "golang-0:1.21.13-3.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-23T00:00:00Z"}], "bugzilla": {"description": "go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion", "id": "2310527", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310527"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-674", "details": ["Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.", "A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-34155", "package_state": [{"cpe": "cpe:/a:redhat:openshift_builds:1", "fix_state": "Affected", "package_name": "openshift-builds/openshift-builds-waiters-rhel8", "product_name": "Builds for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cert_manager:1", "fix_state": "Affected", "package_name": "cert-manager/cert-manager-operator-rhel9", "product_name": "cert-manager Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:cost_management:", "fix_state": "Affected", "package_name": "costmanagement/costmanagement-metrics-rhel8-operator", "product_name": "Cost Management"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "cryostat-tech-preview/cryostat-storage-rhel8", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Affected", "package_name": "custom-metrics-autoscaler-tech-preview/custom-metrics-autoscaler-rhel8", "product_name": "Custom metric autoscaler Operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:workload_availability_fence_agents_remediation", "fix_state": "Affected", "package_name": "workload-availability/fence-agents-remediation-rhel8-operator", "product_name": "Fence Agents Remediation Operator"}, {"cpe": "cpe:/a:redhat:kube_descheduler_operator:5", "fix_state": "Affected", "package_name": "kube-descheduler-operator/descheduler-rhel9", "product_name": "Kube Descheduler Operator"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/logging-loki-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Will not fix", "package_name": "lvms4/topolvm-rhel9", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:workload_availability_machine_deletion_remediation", "fix_state": "Affected", "package_name": "workload-availability/machine-deletion-remediation-rhel8-operator", "product_name": "Machine Deletion Remediation Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Affected", "package_name": "rhmtc/openshift-migration-registry-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hive-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:network_bound_disk_encryption_tang:1", "fix_state": "Affected", "package_name": "tang-operator-container", "product_name": "NBDE Tang Server"}, {"cpe": "cpe:/a:redhat:network_observ_optr:1", "fix_state": "Affected", "package_name": "network-observability/network-observability-rhel8-operator", "product_name": "Network Observability Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Affected", "package_name": "workload-availability/node-healthcheck-rhel8-operator", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:workload_availability:4", "fix_state": "Affected", "package_name": "node-maintenance-operator-container", "product_name": "Node Maintenance Operator"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-velero-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:run_once_duration_override_operator:1", "fix_state": "Affected", "package_name": "run-once-duration-override-operator/run-once-duration-override-rhel8", "product_name": "OpenShift Run Once Duration Override Operator"}, {"cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1", "fix_state": "Affected", "package_name": "openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8", "product_name": "OpenShift Secondary Scheduler Operator"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "openshift-serverless-1/client-kn-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Will not fix", "package_name": "openshift-serverless-clients", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:openshift_power_monitoring", "fix_state": "Affected", "package_name": "kepler-container", "product_name": "Power monitoring for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-operator-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/subctl-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:hybrid_cloud_gateway:1::el9", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat Connectivity Link"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "golang-github-prometheus-promu", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:assisted_installer:", "fix_state": "Affected", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Red Hat OpenShift Container Platform Assisted Installer"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-operator-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-rhel8-operator", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3::el8", "fix_state": "Affected", "package_name": "devspaces/udi-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator", "product_name": "Red Hat Openshift sandboxed containers"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/osp-director-agent", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "ovn-operator-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:service_interconnect:1", "fix_state": "Affected", "package_name": "skupper-cli", "product_name": "Red Hat Service Interconnect 1"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "golang", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "heketi", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:workload_availability_self_node_remediation", "fix_state": "Affected", "package_name": "workload-availability/self-node-remediation-rhel8-operator", "product_name": "Self Node Remediation Operator"}], "public_date": "2024-09-06T21:15:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-34155\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-34155\nhttps://go.dev/cl/611238\nhttps://go.dev/issue/69138\nhttps://groups.google.com/g/golang-dev/c/S9POB9NCTdk\nhttps://pkg.go.dev/vuln/GO-2024-3105"], "threat_severity": "Moderate"}