CVE-2024-3651

Denial of Service via Quadratic Complexity in kjd/idna

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

Se identificó una vulnerabilidad en la librería kjd/idna, específicamente dentro de la función `idna.encode()`, afectando a la versión 3.6. El problema surge del manejo por parte de la función de cadenas de entrada manipuladas, lo que puede generar complejidad cuadrática y, en consecuencia, una condición de denegación de servicio. Esta vulnerabilidad se activa por una entrada manipulada que hace que la función `idna.encode()` procese la entrada con una carga computacional considerable, aumentando significativamente el tiempo de procesamiento de manera cuadrática en relación con el tamaño de la entrada.

A flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-10 CVE Reserved
2024-05-21 CVE Published
2024-07-12 EPSS Updated
2024-08-01 CVE Updated
2024-08-01 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb	2024-08-01

URL	Date	SRC
https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d	2024-07-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-3651	2024-10-23
https://bugzilla.redhat.com/show_bug.cgi?id=2274779	2024-10-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Kjd Search vendor "Kjd"		Internationalized Domain Names In Applications Search vendor "Kjd" for product "Internationalized Domain Names In Applications"				3.6 Search vendor "Kjd" for product "Internationalized Domain Names In Applications" and version "3.6"		-		Affected