5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24789

GHSA ID

GHSA-236w-p7wf-5ph8

EPSS Score

0.01186%

CWE

Published

6/5/2024

Updated

1/31/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24789

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the...

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-24789

CVE-2024-24789:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-24789

GHSA ID

GHSA-236w-p7wf-5ph8

EPSS Score

0.01186%

CWE

Published

6/5/2024

Updated

1/31/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the information from the Go vulnerability database (pkg.go.dev/vuln/GO-2024-2888) and the related GitHub issue (go.dev/issue/66869). These sources explicitly name NewReader and OpenReader as the affected functions within the archive/zip package. The vulnerability stems from how these functions parse the End of Central Directory Record (EOCDR), particularly its comment length, which can be crafted to cause the Go archive/zip package to interpret the ZIP file differently than other implementations. The patch involves rejecting files with such errors, indicating that the vulnerability lies in the parsing logic within these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the...

CVE-2024-24789:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.5

5.5

CVE-2024-24789: The archive/zip package's handling of certain types of invalid zip files differs from the...

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI