cve-2024-6874
Vulnerability from cvelistv5
Published
2024-07-24 07:36
Modified
2025-02-13 17:58
Severity ?
EPSS score ?
Summary
libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.
This flaw can lead to stack contents accidently getting returned as part of
the converted string.
References
▼ | URL | Tags | |
---|---|---|---|
2499f714-1537-4658-8207-48ae4bb9eae9 | http://www.openwall.com/lists/oss-security/2024/07/24/2 | Mailing List, Third Party Advisory | |
2499f714-1537-4658-8207-48ae4bb9eae9 | https://curl.se/docs/CVE-2024-6874.html | Vendor Advisory | |
2499f714-1537-4658-8207-48ae4bb9eae9 | https://curl.se/docs/CVE-2024-6874.json | Vendor Advisory | |
2499f714-1537-4658-8207-48ae4bb9eae9 | https://hackerone.com/reports/2604391 | Exploit, Issue Tracking, Technical Description | |
af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/24/2 | Mailing List, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://curl.se/docs/CVE-2024-6874.html | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://curl.se/docs/CVE-2024-6874.json | Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/2604391 | Exploit, Issue Tracking, Technical Description | |
af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240822-0004/ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "libcurl", vendor: "curl", versions: [ { status: "affected", version: "8.8.0", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-6874", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-24T16:13:40.560966Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-24T16:25:51.575Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-22T18:03:17.766Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "json", tags: [ "x_transferred", ], url: "https://curl.se/docs/CVE-2024-6874.json", }, { name: "www", tags: [ "x_transferred", ], url: "https://curl.se/docs/CVE-2024-6874.html", }, { name: "issue", tags: [ "x_transferred", ], url: "https://hackerone.com/reports/2604391", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/07/24/2", }, { url: "https://security.netapp.com/advisory/ntap-20240822-0004/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "curl", vendor: "curl", versions: [ { lessThanOrEqual: "8.8.0", status: "affected", version: "8.8.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "z2_", }, { lang: "en", type: "remediation developer", value: "z2_", }, ], descriptions: [ { lang: "en", value: "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-126 Buffer Over-read", lang: "en", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-24T07:40:07.072Z", orgId: "2499f714-1537-4658-8207-48ae4bb9eae9", shortName: "curl", }, references: [ { name: "json", url: "https://curl.se/docs/CVE-2024-6874.json", }, { name: "www", url: "https://curl.se/docs/CVE-2024-6874.html", }, { name: "issue", url: "https://hackerone.com/reports/2604391", }, { url: "http://www.openwall.com/lists/oss-security/2024/07/24/2", }, ], title: "macidn punycode buffer overread", }, }, cveMetadata: { assignerOrgId: "2499f714-1537-4658-8207-48ae4bb9eae9", assignerShortName: "curl", cveId: "CVE-2024-6874", datePublished: "2024-07-24T07:36:26.887Z", dateReserved: "2024-07-18T03:37:32.294Z", dateUpdated: "2025-02-13T17:58:00.151Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2024-6874\",\"sourceIdentifier\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"published\":\"2024-07-24T08:15:03.413\",\"lastModified\":\"2024-11-21T09:50:26.493\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"libcurl's URL API function\\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\\nconversions, to and from IDN. Asking to convert a name that is exactly 256\\nbytes, libcurl ends up reading outside of a stack based buffer when built to\\nuse the *macidn* IDN backend. The conversion function then fills up the\\nprovided buffer exactly - but does not null terminate the string.\\n\\nThis flaw can lead to stack contents accidently getting returned as part of\\nthe converted string.\"},{\"lang\":\"es\",\"value\":\"La función API de URL de libcurl [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) ofrece conversiones punycode, hacia y desde IDN. Al solicitar convertir un nombre que tiene exactamente 256 bytes, libcurl termina leyendo fuera de un búfer en la región stack de la memoria cuando se construye para usar el backend IDN *macidn*. Luego, la función de conversión llena exactamente el búfer proporcionado, pero no termina en nulo la cadena. Esta falla puede provocar que el contenido de la pila se devuelva accidentalmente como parte de la cadena convertida.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"759E33B7-1F1E-4050-A400-A2176BF35469\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/24/2\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6874.html\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6874.json\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/2604391\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Technical Description\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/24/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6874.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6874.json\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/2604391\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Technical Description\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240822-0004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://curl.se/docs/CVE-2024-6874.json\", \"name\": \"json\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://curl.se/docs/CVE-2024-6874.html\", \"name\": \"www\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://hackerone.com/reports/2604391\", \"name\": \"issue\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/07/24/2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240822-0004/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-22T18:03:17.766Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6874\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-24T16:13:40.560966Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*\"], \"vendor\": \"curl\", \"product\": \"libcurl\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.8.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-24T16:16:31.062Z\"}}], \"cna\": {\"title\": \"macidn punycode buffer overread\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"z2_\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"z2_\"}], \"affected\": [{\"vendor\": \"curl\", \"product\": \"curl\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.8.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.8.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://curl.se/docs/CVE-2024-6874.json\", \"name\": \"json\"}, {\"url\": \"https://curl.se/docs/CVE-2024-6874.html\", \"name\": \"www\"}, {\"url\": \"https://hackerone.com/reports/2604391\", \"name\": \"issue\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/07/24/2\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"libcurl's URL API function\\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\\nconversions, to and from IDN. Asking to convert a name that is exactly 256\\nbytes, libcurl ends up reading outside of a stack based buffer when built to\\nuse the *macidn* IDN backend. The conversion function then fills up the\\nprovided buffer exactly - but does not null terminate the string.\\n\\nThis flaw can lead to stack contents accidently getting returned as part of\\nthe converted string.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-126 Buffer Over-read\"}]}], \"providerMetadata\": {\"orgId\": \"2499f714-1537-4658-8207-48ae4bb9eae9\", \"shortName\": \"curl\", \"dateUpdated\": \"2024-07-24T07:40:07.072Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-6874\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:58:00.151Z\", \"dateReserved\": \"2024-07-18T03:37:32.294Z\", \"assignerOrgId\": \"2499f714-1537-4658-8207-48ae4bb9eae9\", \"datePublished\": \"2024-07-24T07:36:26.887Z\", \"assignerShortName\": \"curl\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.