CVE-2024-2410

一、漏洞信息
漏洞编号：CVE-2024-2410
漏洞归属组件：serving
漏洞归属的版本：3.13.0,3.14.0,3.15.6,3.19.6,>= 3.13.0,>= 3.13.0
CVSS V3.0分值：
BaseScore：7.6 High
Vector：CVSS：3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
漏洞简述：
The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed.
漏洞公开时间：2024-05-03 21:15:21
漏洞创建时间：2024-05-03 21:58:43
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2024-2410

更多参考(点击展开)

参考来源	参考链接	来源链接
cve-coordination.google.com	https://github.com/protocolbuffers/protobuf/releases/tag/v25.0
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2410	https://bugzilla.suse.com/show_bug.cgi?id=1223947
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2024-2410	https://bugzilla.suse.com/show_bug.cgi?id=1223947
suse_bugzilla	https://github.com/protocolbuffers/protobuf/releases/tag/v25.0	https://bugzilla.suse.com/show_bug.cgi?id=1223947
redhat_bugzilla	https://github.com/advisories/GHSA-h86c-v8g6-46f2	https://bugzilla.redhat.com/show_bug.cgi?id=2278918
redhat_bugzilla	https://github.com/protocolbuffers/protobuf/releases/tag/v25.0	https://bugzilla.redhat.com/show_bug.cgi?id=2278918
ubuntu	https://www.cve.org/CVERecord?id=CVE-2024-2410	https://ubuntu.com/security/CVE-2024-2410
ubuntu	https://github.com/protocolbuffers/protobuf/releases/tag/v25.0	https://ubuntu.com/security/CVE-2024-2410
ubuntu	https://github.com/advisories/GHSA-h86c-v8g6-46f2	https://ubuntu.com/security/CVE-2024-2410
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2024-2410	https://ubuntu.com/security/CVE-2024-2410
ubuntu	https://launchpad.net/bugs/cve/CVE-2024-2410	https://ubuntu.com/security/CVE-2024-2410
ubuntu	https://security-tracker.debian.org/tracker/CVE-2024-2410	https://ubuntu.com/security/CVE-2024-2410
debian		https://security-tracker.debian.org/tracker/CVE-2024-2410
protobuf		https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h5g9-ghrj-76p5
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2024-2410	https://explore.alas.aws.amazon.com/CVE-2024-2410.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2410	https://explore.alas.aws.amazon.com/CVE-2024-2410.html
snyk	https://github.com/protocolbuffers/protobuf/commit/b955165ebdcc5a8ba9c267230d6305f4e3d9c118	https://security.snyk.io/vuln/SNYK-UNMANAGED-PROTOCOLBUFFERSPROTOBUF-6808783
snyk	https://github.com/protocolbuffers/protobuf/releases/tag/v25.0	https://security.snyk.io/vuln/SNYK-UNMANAGED-PROTOCOLBUFFERSPROTOBUF-6808783

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复补丁	来源
	https://github.com/protocolbuffers/protobuf/commit/b955165ebdcc5a8ba9c267230d6305f4e3d9c118	snyk
protobuf	https://github.com/protocolbuffers/protobuf/commit/b955165ebdcc5a8ba9c267230d6305f4e3d9c118	ubuntu
	https://github.com/protocolbuffers/protobuf/commit/b955165ebdcc5a8ba9c267230d6305f4e3d9c118	debian

二、漏洞分析结构反馈
影响性分析说明：

MindSpore评分：
7.6
Vector：CVSS：3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
受影响版本排查(受影响/不受影响)：
1.master:
2.v1.8.0:
3.v2.0.0:

@bryanbj ,@liuchao ,@huangbingjian ,@dairenjie ,@liyuxia ,@zyli2020 ,@emmmmtang ,@Henry Shi ,@fangzhou0329 ,@shenwei41 ,@jxl ,@chenhaozhe ,@zhanghaibo ,@yanghaoran ,@looop5 ,@kyang ,@chengang ,@mindspore_ding ,@ougongchang ,@zhunaipan ,@herryshi1 ,@Zenzenzense ,@zhaoting ,@徐永飞 ,@yxx ,@ZPaC ,@Greatpan ,@yefeng ,@fangzehua
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, MindSpore评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

MindSpore评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master:
2.v1.8.0:
3.v2.0.0:

issue处理具体操作请参考:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

Please assign maintainer to check this issue.
请为此issue分配处理人。
@mindspore-ci-bot

感谢您的提问，您可以评论//mindspore-assistant更快获取帮助：

如果您刚刚接触MindSpore，或许您可以在教程找到答案
如果您是资深Pytorch用户，您或许需要：

如果您遇到动态图问题，可以设置set_context(pynative_synchronize=True)查看报错栈协助定位
模型精度调优问题可参考官网调优指南
如果您反馈的是框架BUG，请确认您在ISSUE中提供了MindSpore版本、使用的后端类型（CPU、GPU、Ascend）、环境、训练的代码官方链接以及可以复现报错的代码的启动方式等必要的定位信息
如果您已经定位出问题根因，欢迎提交PR参与MindSpore开源社区，我们会尽快review

MindSpore / serving

内容风险标识

评论 (3)

MindSpore / serving .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-2410

评论 (3)

搜索帮助

MindSpore / serving