Home > Vulnerability Database > CVE-2024-1394

Mend.io Vulnerability Database

CVE-2024-1394

Good to know:

Date: March 21, 2024

A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.

Language: Go

Severity Score

7.5

Related Resources (27)

Url: https://access.redhat.com/errata/RHSA-2024:2562

Url: https://access.redhat.com/errata/RHSA-2024:1472

Url: https://github.com/golang-fips/openssl/commit/85d31d0d257ce842c8a1e63c4d230ae850348136

Url: https://access.redhat.com/errata/RHSA-2024:1563

Url: https://access.redhat.com/errata/RHSA-2024:1640

Url: https://access.redhat.com/errata/RHSA-2024:1763

Url: https://access.redhat.com/errata/RHSA-2024:1468

Url: https://access.redhat.com/errata/RHSA-2024:1501

Url: https://access.redhat.com/errata/RHSA-2024:1644

Url: https://access.redhat.com/errata/RHSA-2024:1567

Url: https://access.redhat.com/errata/RHSA-2024:1566

Url: https://access.redhat.com/errata/RHSA-2024:1646

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2262921

Url: https://access.redhat.com/errata/RHSA-2024:1502

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1394

Url: https://access.redhat.com/errata/RHSA-2024:1462

Url: https://access.redhat.com/errata/RHSA-2024:1561

Url: https://vuln.go.dev/ID/GO-2024-2660.json

Url: https://github.com/microsoft/go-crypto-openssl/commit/104fe7f6912788d2ad44602f77a0a0a62f1f259f

Url: https://access.redhat.com/security/cve/CVE-2024-1394

Url: https://github.com/golang-fips/openssl/security/advisories/GHSA-78hx-gp6g-7mj6

Url: https://access.redhat.com/errata/RHSA-2024:1574

Url: https://pkg.go.dev/vuln/GO-2024-2660

Url: https://access.redhat.com/errata/RHSA-2024:1897

Url: https://access.redhat.com/errata/RHSA-2024:2568

Url: https://access.redhat.com/errata/RHSA-2024:2569

Url: https://www.mend.io/vulnerability-database/CVE-2024-1394

Severity Score

7.5

Weakness Type (CWE)

Missing Release of Memory after Effective Lifetime

CWE-401

Top Fix

Upgrade Version

Upgrade to version v2.0.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1394

Good to know:

Date: March 21, 2024

Language: Go

Severity Score

Related Resources (27)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?