Vulnerability in Google Tink

CVE-2024-4420

There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but st…

EPSS: 0.001 (21.5th percentile) — read the EPSS interpretation.

Affected products

Google Tink — versions 2.0.0
Google Tink (Legacy) — versions 0

Weakness classification (CWE)

CWE-116 — Improper Encoding or Escaping of Output

References

github.com/tink-crypto/tink-cc/issues/4