CVE-2024-26134

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
References
Link Resource
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 Product
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df Patch
https://github.com/agronholm/cbor2/pull/204 Issue Tracking
https://github.com/agronholm/cbor2/releases/tag/5.6.2 Release Notes
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m Exploit Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ Mailing List
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 Product
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df Patch
https://github.com/agronholm/cbor2/pull/204 Issue Tracking
https://github.com/agronholm/cbor2/releases/tag/5.6.2 Release Notes
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m Exploit Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ Mailing List
Configurations

Configuration 1 (hide)

cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

History

02 Jan 2025, 14:18

Type Values Removed Values Added
First Time Fedoraproject fedora
Fedoraproject
Agronholm cbor2
Agronholm
CPE cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
cpe:2.3:a:agronholm:cbor2:*:*:*:*:*:python:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
References () https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 - () https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 - Product
References () https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df - () https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df - Patch
References () https://github.com/agronholm/cbor2/pull/204 - () https://github.com/agronholm/cbor2/pull/204 - Issue Tracking
References () https://github.com/agronholm/cbor2/releases/tag/5.6.2 - () https://github.com/agronholm/cbor2/releases/tag/5.6.2 - Release Notes
References () https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m - () https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m - Exploit, Vendor Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ - Mailing List
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ - Mailing List

21 Nov 2024, 09:02

Type Values Removed Values Added
References () https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 - () https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 -
References () https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df - () https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df -
References () https://github.com/agronholm/cbor2/pull/204 - () https://github.com/agronholm/cbor2/pull/204 -
References () https://github.com/agronholm/cbor2/releases/tag/5.6.2 - () https://github.com/agronholm/cbor2/releases/tag/5.6.2 -
References () https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m - () https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ -

19 Apr 2024, 23:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ -

17 Apr 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ -

20 Feb 2024, 19:50

Type Values Removed Values Added
Summary
  • (es) cbor2 proporciona codificación y decodificación para el formato de serialización de representación concisa de objetos binarios (CBOR) (RFC 8949). A partir de la versión 5.5.1 y antes de la versión 5.6.2, un atacante puede bloquear un servicio que utiliza cbor2 para analizar un binario CBOR enviando un objeto lo suficientemente largo. La versión 5.6.2 contiene un parche para este problema.

19 Feb 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-19 23:15

Updated : 2025-01-02 14:18


NVD link : CVE-2024-26134

Mitre link : CVE-2024-26134

CVE.ORG link : CVE-2024-26134


JSON object : View

Products Affected

fedoraproject

  • fedora

agronholm

  • cbor2
CWE
CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')