CVE-2024-38525

dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the `nlohmann` JSON library. However, due to the way the JSON library is invoked, it throws an uncaught exception, which results in a crash. This vulnerability has been patched in version 0.2.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/DataDog/dd-trace-cpp/releases/tag/v0.2.2
https://github.com/DataDog/dd-trace-cpp/security/advisories/GHSA-rf3p-mg22-qv6w

Configurations

No configuration.

History

01 Jul 2024, 12:37

Type	Values Removed	Values Added
Summary		(es) dd-trace-cpp es el seguimiento distribuido de Datadog para C++. Cuando la librería no puede extraer el contexto de seguimiento debido a un Unicode con formato incorrecto, registra la lista de encabezados auditados y sus valores utilizando la librería JSON `nlohmann`. Sin embargo, debido a la forma en que se invoca la librería JSON, genera una excepción no detectada, lo que provoca un bloqueo. Esta vulnerabilidad ha sido parcheada en la versión 0.2.2.

28 Jun 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-28 22:15

Updated : 2024-07-01 12:37

NVD link : CVE-2024-38525

Mitre link : CVE-2024-38525

CVE.ORG link : CVE-2024-38525

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-248

Uncaught Exception

7.5 /10