{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-14031","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-03-29T15:12:06.674Z","datePublished":"2026-03-31T11:31:28.100Z","dateUpdated":"2026-04-01T16:30:00.649Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"Sereal-Encoder","product":"Sereal::Encoder","repo":"https://github.com/Sereal/Sereal","vendor":"YVES","versions":[{"lessThanOrEqual":"4.009_002","status":"affected","version":"4.000","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922.  This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1395","description":"CWE-1395 Dependency on Vulnerable Third-Party Component","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-04-01T16:30:00.649Z"},"references":[{"tags":["vendor-advisory"],"url":"https://github.com/advisories/GHSA-w77f-wv46-4vcx"},{"tags":["vendor-advisory"],"url":"https://www.cve.org/CVERecord?id=CVE-2019-11922"},{"tags":["release-notes"],"url":"https://metacpan.org/release/YVES/Sereal-Encoder-4.010/changes"}],"solutions":[{"lang":"en","value":"Upgrade to Sereal::Encoder version 4.010 or later."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2017-02-06T00:00:00.000Z","value":"Sereal::Encoder version 4.001_001 released."},{"lang":"en","time":"2018-12-27T00:00:00.000Z","value":"Zstandard 1.3.8 released."},{"lang":"en","time":"2019-07-25T00:00:00.000Z","value":"CVE-2019-11922 for Zstandard published"},{"lang":"en","time":"2020-02-04T00:00:00.000Z","value":"Sereal::Encoder version 4.010 released."},{"lang":"en","time":"2023-02-09T00:00:00.000Z","value":"Advisory added to the CPANSA database."},{"lang":"en","time":"2024-02-17T00:00:00.000Z","value":"Advisory updated in the CPANSA database."}],"title":"Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-1395","lang":"en","description":"CWE-1395 Dependency on Vulnerable Third-Party Component"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":8.1,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"HIGH","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-31T14:19:21.141997Z","id":"CVE-2024-14031","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-31T14:19:27.286Z"}}]}}