CRITICAL🇵🇱 Wersja polska

CVE-2024-27099

CVSS 9.8v3.1pub. 2024-02-27upd. 2025-02-14

The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Services. When processing an incorrect `AMQP_VALUE` failed state, may cause a double free problem. This may cause a RCE. Update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.

🤖 AI Analysis
How it works

When processing an AMQP_VALUE in an incorrect state, the library improperly frees the same memory area twice (double free, CWE-415). This is a classic memory management issue in C that can lead to heap corruption. An attacker can potentially exploit this situation to gain control over program execution flow and run arbitrary code.

Impact

An attacker can remotely execute arbitrary code (RCE) in the context of a process using the vulnerable library, without the need for authentication, which may result in complete system compromise.

Mitigation & patch

The azure-uamqp-c submodule should be updated to a version containing commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987. Details are available in the security advisory GHSA-6rh4-fj44-v4jj on GitHub.

Who is affected

Azure uAMQP-C library (azure-uamqp-c) — versions prior to commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Microsoft Azure Uamqp

    APP
    Microsoft
    < 2023-2-08
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-25110CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Microsoft Azure UAMQP-C umożliwiający zdalny RCE

CVE-2024-21646CRITICAL9.8PL ✓ten sam produkt

RCE w bibliotece Azure uAMQP-C przez integer overflow

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych