CVE-2024-38525
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
dd-trace-cpp is the Datadog distributed tracing for C++. When the library fails to extract trace context due to malformed unicode, it logs the list of audited headers and their values using the nlohmann JSON library. However, due to the way the JSON library is invoked, it throws an uncaught exception, which results in a crash. This vulnerability has been patched in version 0.2.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DataDog | dd-trace-cpp | >= 0.1.12, < 0.2.2 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
- CWE-248: CWE-248: Uncaught Exception
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/DataDog/dd-trace-cpp/security/advisories/GHSA-rf3p-mg22-qv6w
- https://github.com/DataDog/dd-trace-cpp/releases/tag/v0.2.2
References
- https://github.com/DataDog/dd-trace-cpp/security/advisories/GHSA-rf3p-mg22-qv6w
- https://github.com/DataDog/dd-trace-cpp/releases/tag/v0.2.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.