CVE-2024-24789
Mishandling of corrupt central directory record in archive/zip
5.5
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.
How to fix CVE-2024-24789
To remediate CVE-2024-24789, upgrade the affected package to a fixed version below.
- —upgrade to 1.21.11 or later
- —no fix listed
- —no fix listed
- —upgrade to 1.21.11 or later
Is CVE-2024-24789 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.21.11, >= 1.22.0-0, < 1.22.4
- from 0
- from 0
- from 0, < 1.21.11, >= 1.22.0-0, < 1.22.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |