{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-4420","assignerOrgId":"14ed7db2-1595-443d-9d34-6215bf890778","state":"PUBLISHED","assignerShortName":"Google","dateReserved":"2024-05-02T11:15:28.604Z","datePublished":"2024-05-21T11:52:28.398Z","dateUpdated":"2024-08-01T20:40:47.073Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://github.com/tink-crypto/tink-cc/","defaultStatus":"unaffected","packageName":"Tink-cc","product":"Tink","repo":"https://github.com/tink-crypto","vendor":"Google","versions":[{"lessThan":"2.1.3","status":"affected","version":"2.0.0","versionType":"semver"}]},{"collectionURL":"https://github.com/google/tink","defaultStatus":"unaffected","packageName":"Tink-crypto (legacy)","product":"Tink (Legacy)","repo":"https://github.com/google/tink","vendor":"Google","versions":[{"lessThanOrEqual":"1.7.0","status":"affected","version":"0","versionType":"semver"}]}],"datePublic":"2024-05-02T10:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. We recommend upgrading to version 2.1.3 or above"}],"value":"There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3.  * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.\n\n\n * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.\n\n\nWe recommend upgrading to version 2.1.3 or above"}],"impacts":[{"capecId":"CAPEC-469","descriptions":[{"lang":"en","value":"CAPEC-469 HTTP DoS"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"NOT_DEFINED","Safety":"NEGLIGIBLE","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.8,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","providerUrgency":"GREEN","subAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"DIFFUSE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/S:N/AU:Y/V:D/RE:L/U:Green","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"LOW"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-116","description":"CWE-116 Improper Encoding or Escaping of Output","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"14ed7db2-1595-443d-9d34-6215bf890778","shortName":"Google","dateUpdated":"2024-05-21T14:49:17.375Z"},"references":[{"url":"https://github.com/tink-crypto/tink-cc/issues/4"}],"source":{"discovery":"INTERNAL"},"title":"Denial of Service in Tink-cc","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-4420","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-05-21T15:01:39.524101Z"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:55:38.346Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T20:40:47.073Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/tink-crypto/tink-cc/issues/4","tags":["x_transferred"]}]}]}}