CVE-2024-4420

Name of the Vulnerable Software and Affected Versions Tink-cc versions prior to 2.1.3

Description The issue is related to a Denial of service vulnerability. An adversary can crash binaries using the crypto::tink::JsonKeysetReader in Tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object. Additionally, an adversary can crash binaries by providing an input containing many nested JSON objects, which may result in a stack overflow.

Recommendations We recommend upgrading to version 2.1.3 or above. As a temporary workaround, consider restricting the use of the crypto::tink::JsonKeysetReader function until a patch is available. Avoid using inputs that are not encoded JSON objects or contain many nested JSON objects in the affected API endpoint until the issue is resolved.