CVE-2024-45492
CVE Details
Visit the official vulnerability details page for CVE-2024-45492 to learn more.
Initial Publication
10/25/2024
Last Update
10/25/2024
Third Party Dependency
libexpat
NIST CVE Summary
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
CVE Severity
Our Official Summary
This CVE identifies an integer overflow vulnerability found in libexpat versions prior to 2.6.3, which can lead to an integer overflow in the nextScaffoldPart function on 32-bit platforms. This vulnerability can be exploited over a network without user interaction and has very low attack complexity. Not all of the images affected use the specific function affected. Exploiting this vulnerable library will require a user to compromise the containers and gain privileged access. Fix available in libexpat versions > 2.6.3. Investigating upgrading this library within the affected images.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.10 | Impacted | Impacted | Impacted | Impacted |
| 4.5.8 | Impacted | Impacted | Impacted | Impacted |
| 4.5.5 | Impacted | Impacted | Impacted | Impacted |
| 4.5.4 | Impacted | Impacted | Impacted | Impacted |
| 4.4.20 | Impacted | Impacted | Impacted | Impacted |
Revision History
| Date | Revision |
|---|---|
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |