CVE-2024-26134: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
References
- github.com/advisories/GHSA-375g-39jq-vq7m
- github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
- github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
- github.com/agronholm/cbor2/pull/204
- github.com/agronholm/cbor2/releases/tag/5.6.2
- github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
- nvd.nist.gov/vuln/detail/CVE-2024-26134
Detect and mitigate CVE-2024-26134 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →