{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-34402", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T02:51:11.434Z", "dateReserved": "2024-05-03T00:00:00", "datePublished": "2024-05-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T17:06:04.601564"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/uriparser/uriparser/pull/185"}, {"url": "https://github.com/uriparser/uriparser/issues/183"}, {"name": "[oss-security] 20240506 Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/05/06/1"}, {"name": "[oss-security] 20240506 Re: Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/05/06/3"}, {"name": "FEDORA-2024-40e8512956", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UG4J7PD475LSCGCSHFU4GMU4TWLDSNW2/"}, {"name": "FEDORA-2024-a7b8b6bfe2", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R36L762D3KX3GA66OOPWW7M7KKDRXDP/"}, {"name": "FEDORA-2024-410d4ecabe", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ6KEUQXWCTYXGTBMZDD7CHJCYI52XY3/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-190", "lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "affected": [{"vendor": "uriparser_project", "product": "uriparser", "cpes": ["cpe:2.3:a:uriparser_project:uriparser:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.9.7", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-06T19:15:32.011239Z", "id": "CVE-2024-34402", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T18:30:23.820Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:11.434Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/uriparser/uriparser/pull/185", "tags": ["x_transferred"]}, {"url": "https://github.com/uriparser/uriparser/issues/183", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240506 Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/05/06/1"}, {"name": "[oss-security] 20240506 Re: Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/05/06/3"}, {"name": "FEDORA-2024-40e8512956", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UG4J7PD475LSCGCSHFU4GMU4TWLDSNW2/"}, {"name": "FEDORA-2024-a7b8b6bfe2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R36L762D3KX3GA66OOPWW7M7KKDRXDP/"}, {"name": "FEDORA-2024-410d4ecabe", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ6KEUQXWCTYXGTBMZDD7CHJCYI52XY3/"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/uriparser/uriparser/pull/185", "tags": ["x_transferred"]}, {"url": "https://github.com/uriparser/uriparser/issues/183", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/06/1", "name": "[oss-security] 20240506 Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/06/3", "name": "[oss-security] 20240506 Re: Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UG4J7PD475LSCGCSHFU4GMU4TWLDSNW2/", "name": "FEDORA-2024-40e8512956", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R36L762D3KX3GA66OOPWW7M7KKDRXDP/", "name": "FEDORA-2024-a7b8b6bfe2", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ6KEUQXWCTYXGTBMZDD7CHJCYI52XY3/", "name": "FEDORA-2024-410d4ecabe", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:11.434Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-34402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T19:15:32.011239Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:uriparser_project:uriparser:*:*:*:*:*:*:*:*"], "vendor": "uriparser_project", "product": "uriparser", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "0.9.7"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-06T19:18:05.897Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/uriparser/uriparser/pull/185"}, {"url": "https://github.com/uriparser/uriparser/issues/183"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/06/1", "name": "[oss-security] 20240506 Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/06/3", "name": "[oss-security] 20240506 Re: Fwd: uriparser 0.9.8 released, includes security fixes", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UG4J7PD475LSCGCSHFU4GMU4TWLDSNW2/", "name": "FEDORA-2024-40e8512956", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R36L762D3KX3GA66OOPWW7M7KKDRXDP/", "name": "FEDORA-2024-a7b8b6bfe2", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ6KEUQXWCTYXGTBMZDD7CHJCYI52XY3/", "name": "FEDORA-2024-410d4ecabe", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T17:06:04.601564"}}}, "cveMetadata": {"cveId": "CVE-2024-34402", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:11.434Z", "dateReserved": "2024-05-03T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-05-03T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en uriparser hasta la versi\u00f3n 0.9.7. ComposeQueryEngine en UriQuery.c tiene un desbordamiento de enteros a trav\u00e9s de claves o valores largos, con un desbordamiento de b\u00fafer resultante."}], "id": "CVE-2024-34402", "lastModified": "2024-07-03T01:59:58.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-03T01:15:48.633", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/05/06/1"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/05/06/3"}, {"source": "cve@mitre.org", "url": "https://github.com/uriparser/uriparser/issues/183"}, {"source": "cve@mitre.org", "url": "https://github.com/uriparser/uriparser/pull/185"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R36L762D3KX3GA66OOPWW7M7KKDRXDP/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CZ6KEUQXWCTYXGTBMZDD7CHJCYI52XY3/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UG4J7PD475LSCGCSHFU4GMU4TWLDSNW2/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "uriparser: integer overflow via long keys or values in ComposeQueryEngine() in UriQuery.c", "id": "2278807", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278807"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190->CWE-120", "details": ["An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.", "An integer overflow issue was found in Uriparser in the ComposeQueryEngine() function in UriQuery.c. This function computes the space needed for composing a query string. However, it encounters an integer overflow issue when handling large key or value lengths, potentially leading to incorrect memory allocations or operations due to malformed size calculations. This flaw allows attackers to crash the application, resulting in a denial of service."], "name": "CVE-2024-34402", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "uriparser", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-05-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-34402\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-34402"], "statement": "We do not distribute this package in RHEL 8, 9, and 10. Additionally, RHEL 7 is no longer within the scope of our supported versions.", "threat_severity": "Moderate", "upstream_fix": "uriparser 0.9.8"}