CVE-2019-18224

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.

References

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420

https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c

https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1

https://lists.fedoraproject.org/archives/list/[email protected]/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/

https://usn.ubuntu.com/4168-1/

Details

Source: MITRE

Published: 2019-10-21

Updated: 2019-10-29

Type: CWE-787

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:gnu:libidn2:*:*:*:*:*:*:*:*

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
140346EulerOS Virtualization for ARM 64 3.0.2.0 : libidn2 (EulerOS-SA-2020-1976)NessusHuawei Local Security Checks
critical
135018GLSA-202003-63 : GNU IDN Library 2: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
133416Debian DSA-4613-1 : libidn2 - security updateNessusDebian Local Security Checks
critical
132322Amazon Linux AMI : libidn2 (ALAS-2019-1327)NessusAmazon Linux Local Security Checks
critical
132261Amazon Linux 2 : libidn2 (ALAS-2019-1373)NessusAmazon Linux Local Security Checks
critical
131684openSUSE Security Update : libidn2 (openSUSE-2019-2613)NessusSuSE Local Security Checks
critical
131682openSUSE Security Update : libidn2 (openSUSE-2019-2611)NessusSuSE Local Security Checks
critical
131548SUSE SLED15 / SLES15 Security Update : libidn2 (SUSE-SU-2019:3086-1)NessusSuSE Local Security Checks
critical
130492Fedora 30 : mingw-libidn2 (2019-d3221d69e0)NessusFedora Local Security Checks
critical
130489Fedora 29 : mingw-libidn2 (2019-a8d35fcf7c)NessusFedora Local Security Checks
critical
130393Ubuntu 18.04 LTS / 19.04 : Libidn2 vulnerabilities (USN-4168-1)NessusUbuntu Local Security Checks
critical