CRITICAL🇵🇱 Wersja polska

CVE-2024-21646

CVSS 9.8v3.1pub. 2024-01-09upd. 2024-11-21

Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP library is used by several clients to implement AMQP protocol communication. When clients using this library receive a crafted binary type data, an integer overflow or wraparound or memory safety issue can occur and may cause remote code execution. This vulnerability has been patched in release 2024-01-01.

🤖 AI Analysis
How it works

When a client using the uAMQP-C library receives crafted binary data of a specific type, an integer overflow or wraparound occurs, leading to a memory safety violation. The error results from improper validation of input data when decoding AMQP messages (CWE-190, CWE-94). The consequence is the ability to execute arbitrary code in the context of the process handling the AMQP connection.

Impact

An attacker can gain full control over a vulnerable system through remote code execution (RCE), which threatens the confidentiality, integrity, and availability of data and services.

Mitigation & patch

The azure-uamqp-c library should be updated to the version released on 2024-01-01 (commit 12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe). This also applies to all products and applications that indirectly use this library — dependencies should be checked and updated to versions containing the patch.

Who is affected

The Azure uAMQP-C library (azure-uamqp-c) and all applications and clients using this library for AMQP communication — versions prior to the release on 2024-01-01.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Microsoft Azure Uamqp

    APP
    Microsoft
    < 2024-01-01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-27099CRITICAL9.8PL ✓ten sam produkt

Double free w bibliotece uAMQP-C prowadzący do RCE w Azure

CVE-2024-25110CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Microsoft Azure UAMQP-C umożliwiający zdalny RCE

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych