Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-24784

Summary
Assigner-Go
Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc
Published At-05 Mar, 2024 | 22:22
Updated At-13 Feb, 2025 | 17:40
Rejected At-
Credits

Comments in display names are incorrectly handled in net/mail

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Go
Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc
Published At:05 Mar, 2024 | 22:22
Updated At:13 Feb, 2025 | 17:40
Rejected At:
▼CVE Numbering Authority (CNA)
Comments in display names are incorrectly handled in net/mail

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

Affected Products
Vendor
Go standard library
Product
net/mail
Collection URL
https://pkg.go.dev
Package Name
net/mail
Program Routines
  • addrParser.consumeGroupList
  • addrParser.consumePhrase
  • isAtext
  • Address.String
  • AddressParser.Parse
  • AddressParser.ParseList
  • Header.AddressList
  • ParseAddress
  • ParseAddressList
Default Status
unaffected
Versions
Affected
  • From 0 before 1.21.8 (semver)
  • From 1.22.0-0 before 1.22.1 (semver)
Problem Types
TypeCWE IDDescription
N/AN/ACWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
Type: N/A
CWE ID: N/A
Description: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Juho Nurminen of Mattermost
Slonser (https://github.com/Slonser)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/issue/65083
N/A
https://go.dev/cl/555596
N/A
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
N/A
https://pkg.go.dev/vuln/GO-2024-2609
N/A
https://security.netapp.com/advisory/ntap-20240329-0007/
N/A
http://www.openwall.com/lists/oss-security/2024/03/08/4
N/A
Hyperlink: https://go.dev/issue/65083
Resource: N/A
Hyperlink: https://go.dev/cl/555596
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2024-2609
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240329-0007/
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/08/4
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://go.dev/issue/65083
x_transferred
https://go.dev/cl/555596
x_transferred
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
x_transferred
https://pkg.go.dev/vuln/GO-2024-2609
x_transferred
https://security.netapp.com/advisory/ntap-20240329-0007/
x_transferred
http://www.openwall.com/lists/oss-security/2024/03/08/4
x_transferred
Hyperlink: https://go.dev/issue/65083
Resource:
x_transferred
Hyperlink: https://go.dev/cl/555596
Resource:
x_transferred
Hyperlink: https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
Resource:
x_transferred
Hyperlink: https://pkg.go.dev/vuln/GO-2024-2609
Resource:
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20240329-0007/
Resource:
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/08/4
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
go_standard_library
Product
net\/mail
CPEs
  • cpe:2.3:a:go_standard_library:net\/mail:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 1.21.8 (semver)
  • From 1.22.0-0 before 1.22.1 (semver)
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@golang.org
Published At:05 Mar, 2024 | 23:15
Updated At:05 Aug, 2024 | 21:35

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2024/03/08/4security@golang.org
N/A
https://go.dev/cl/555596security@golang.org
N/A
https://go.dev/issue/65083security@golang.org
N/A
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbgsecurity@golang.org
N/A
https://pkg.go.dev/vuln/GO-2024-2609security@golang.org
N/A
https://security.netapp.com/advisory/ntap-20240329-0007/security@golang.org
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/03/08/4
Source: security@golang.org
Resource: N/A
Hyperlink: https://go.dev/cl/555596
Source: security@golang.org
Resource: N/A
Hyperlink: https://go.dev/issue/65083
Source: security@golang.org
Resource: N/A
Hyperlink: https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
Source: security@golang.org
Resource: N/A
Hyperlink: https://pkg.go.dev/vuln/GO-2024-2609
Source: security@golang.org
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20240329-0007/
Source: security@golang.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2025-22874
Matching Score-8
Assigner-Go Project
ShareView Details
Matching Score-8
Assigner-Go Project
CVSS Score-7.5||HIGH
EPSS-0.01% / 1.24%
||
7 Day CHG~0.00%
Published-11 Jun, 2025 | 16:42
Updated-16 Jun, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Usage of ExtKeyUsageAny disables policy validation in crypto/x509

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Action-Not Available
Vendor-Go standard library
Product-crypto/x509
CVE-2022-2880
Matching Score-8
Assigner-Go Project
ShareView Details
Matching Score-8
Assigner-Go Project
CVSS Score-7.5||HIGH
EPSS-0.03% / 7.08%
||
7 Day CHG-0.00%
Published-14 Oct, 2022 | 00:00
Updated-13 Feb, 2025 | 16:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect sanitization of forwarded query parameters in net/http/httputil

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Action-Not Available
Vendor-Go standard libraryGo
Product-gonet/http/httputil
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2022-41716
Matching Score-8
Assigner-Go Project
ShareView Details
Matching Score-8
Assigner-Go Project
CVSS Score-6.3||MEDIUM
EPSS-0.01% / 1.13%
||
7 Day CHG~0.00%
Published-02 Nov, 2022 | 15:28
Updated-30 Oct, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsanitized NUL in environment variables on Windows in syscall and os/exec

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

Action-Not Available
Vendor-Go standard libraryGoMicrosoft Corporation
Product-gowindowssyscallos/exec
Details not found