CVE - CVE-2024-1394

CVE-ID
CVE-2024-1394	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:RHBZ#2262921 URL:https://bugzilla.redhat.com/show_bug.cgi?id=2262921 MISC:RHSA-2024:1462 URL:https://access.redhat.com/errata/RHSA-2024:1462 MISC:RHSA-2024:1468 URL:https://access.redhat.com/errata/RHSA-2024:1468 MISC:RHSA-2024:1472 URL:https://access.redhat.com/errata/RHSA-2024:1472 MISC:RHSA-2024:1501 URL:https://access.redhat.com/errata/RHSA-2024:1501 MISC:RHSA-2024:1502 URL:https://access.redhat.com/errata/RHSA-2024:1502 MISC:RHSA-2024:1561 URL:https://access.redhat.com/errata/RHSA-2024:1561 MISC:RHSA-2024:1563 URL:https://access.redhat.com/errata/RHSA-2024:1563 MISC:RHSA-2024:1566 URL:https://access.redhat.com/errata/RHSA-2024:1566 MISC:RHSA-2024:1567 URL:https://access.redhat.com/errata/RHSA-2024:1567 MISC:RHSA-2024:1574 URL:https://access.redhat.com/errata/RHSA-2024:1574 MISC:RHSA-2024:1640 URL:https://access.redhat.com/errata/RHSA-2024:1640 MISC:RHSA-2024:1644 URL:https://access.redhat.com/errata/RHSA-2024:1644 MISC:RHSA-2024:1646 URL:https://access.redhat.com/errata/RHSA-2024:1646 MISC:RHSA-2024:1763 URL:https://access.redhat.com/errata/RHSA-2024:1763 MISC:RHSA-2024:1897 URL:https://access.redhat.com/errata/RHSA-2024:1897 MISC:https://access.redhat.com/security/cve/CVE-2024-1394 URL:https://access.redhat.com/security/cve/CVE-2024-1394 MISC:https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136 URL:https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136 MISC:https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6 URL:https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6 MISC:https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f URL:https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f MISC:https://pkg.go.dev/vuln/GO-2024-2660 URL:https://pkg.go.dev/vuln/GO-2024-2660 MISC:https://vuln.go.dev/ID/GO-2024-2660.json URL:https://vuln.go.dev/ID/GO-2024-2660.json
Assigning CNA
Red Hat, Inc.
Date Record Created
20240209	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240209)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)