{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3651", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-10T23:50:44.569Z", "datePublished": "2024-07-07T17:22:10.032Z", "dateUpdated": "2024-08-01T20:20:00.683Z"}, "containers": {"cna": {"title": "Denial of Service via Quadratic Complexity in kjd/idna", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-07T17:22:10.032Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size."}], "affected": [{"vendor": "kjd", "product": "kjd/idna", "versions": [{"version": "unspecified", "lessThan": "3.7", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "93d78d07-d791-4b39-a845-cbfabc44aadb", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-07T19:07:43.737156Z", "id": "CVE-2024-3651", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-07T19:07:50.996Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:00.683Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", "tags": ["x_transferred"]}, {"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb", "tags": ["x_transferred"]}, {"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:00.683Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3651", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-07T19:07:43.737156Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-07T19:07:48.586Z"}}], "cna": {"title": "Denial of Service via Quadratic Complexity in kjd/idna", "source": {"advisory": "93d78d07-d791-4b39-a845-cbfabc44aadb", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kjd", "product": "kjd/idna", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "3.7", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}, {"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-07-07T17:22:10.032Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3651", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:20:00.683Z", "dateReserved": "2024-04-10T23:50:44.569Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-07-07T17:22:10.032Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kjd:internationalized_domain_names_in_applications:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "58AE756B-C46B-418C-A3CD-DD0CEE78ABB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad en la librer\u00eda kjd/idna, espec\u00edficamente dentro de la funci\u00f3n `idna.encode()`, afectando a la versi\u00f3n 3.6. El problema surge del manejo por parte de la funci\u00f3n de cadenas de entrada manipuladas, lo que puede generar complejidad cuadr\u00e1tica y, en consecuencia, una condici\u00f3n de denegaci\u00f3n de servicio. Esta vulnerabilidad se activa por una entrada manipulada que hace que la funci\u00f3n `idna.encode()` procese la entrada con una carga computacional considerable, aumentando significativamente el tiempo de procesamiento de manera cuadr\u00e1tica en relaci\u00f3n con el tama\u00f1o de la entrada."}], "id": "CVE-2024-3651", "lastModified": "2024-07-11T14:58:01.803", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-07T18:15:09.827", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Patch"], "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@huntr.dev", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-idna-0:3.7-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-idna-0:3.7-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3466", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8100020240516111311.d47b87a4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-29T00:00:00Z"}, {"advisory": "RHSA-2024:3466", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8100020240516111311.d47b87a4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-29T00:00:00Z"}, {"advisory": "RHSA-2024:4260", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "python-idna-0:2.5-7.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:3552", "cpe": "cpe:/o:redhat:rhel_aus:8.6", "package": "python-idna-0:2.5-5.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3552", "cpe": "cpe:/o:redhat:rhel_tus:8.6", "package": "python-idna-0:2.5-5.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3552", "cpe": "cpe:/o:redhat:rhel_e4s:8.6", "package": "python-idna-0:2.5-5.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3543", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "python-idna-0:2.5-5.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-06-03T00:00:00Z"}, {"advisory": "RHSA-2024:3846", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "python-idna-0:2.10-7.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-06-11T00:00:00Z"}], "bugzilla": {"description": "python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()", "id": "2274779", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274779"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.", "A flaw was found in the python-idna library. A malicious argument was sent to the idna.encode() function can trigger an uncontrolled resource consumption, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-3651", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python-idna", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python27:2.7/python-idna", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "python-idna", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "ansiblerole-foreman_scap_client", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-idna", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-idna-ssl", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python-idna", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Will not fix", "package_name": "python-idna", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Will not fix", "package_name": "python-idna-ssl", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3651\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3651"], "statement": "The vulnerability in the idna.encode() function, allowing for resource consumption via specially crafted arguments, is categorized as a moderate severity issue due to its potential impact on system availability rather than data integrity or confidentiality. While the vulnerability can lead to a denial-of-service condition, it requires the passing of unusually large or maliciously crafted inputs to exploit. Normal usage scenarios typically do not encounter such inputs.", "threat_severity": "Moderate"}