OpenCVE

libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Haxx	Libcurl

Configuration 1 [-]

cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/24/2
https://curl.se/docs/CVE-2024-6874.html
https://curl.se/docs/CVE-2024-6874.json
https://hackerone.com/reports/2604391
https://nvd.nist.gov/vuln/detail/CVE-2024-6874
https://www.cve.org/CVERecord?id=CVE-2024-6874

History

Tue, 10 Sep 2024 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haxx Haxx libcurl
Weaknesses		CWE-125
CPEs		cpe:2.3:a:haxx:libcurl:8.8.0:::::::*
Vendors & Products		Haxx Haxx libcurl
Metrics	cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2024-07-24T07:36:26.887Z

Updated: 2024-08-22T18:03:17.766Z

Reserved: 2024-07-18T03:37:32.294Z

Link: CVE-2024-6874

Vulnrichment

Updated: 2024-08-01T21:45:38.111Z

NVD

Status : Analyzed

Published: 2024-07-24T08:15:03.413

Modified: 2024-09-10T15:27:04.190

Link: CVE-2024-6874

Redhat

Severity : Low

Publid Date: 2024-07-24T00:00:00Z

Links: CVE-2024-6874 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-6874", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-07-18T03:37:32.294Z", "datePublished": "2024-07-24T07:36:26.887Z", "dateUpdated": "2024-08-22T18:03:17.766Z"}, "containers": {"cna": {"title": "macidn punycode buffer overread", "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:36:26.887Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-126 Buffer Over-read "}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.8.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www"}, {"url": "https://hackerone.com/reports/2604391", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}], "credits": [{"lang": "en", "value": "z2_", "type": "finder"}, {"lang": "en", "value": "z2_", "type": "remediation developer"}]}, "adp": [{"affected": [{"vendor": "curl", "product": "libcurl", "cpes": ["cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.8.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T16:13:40.560966Z", "id": "CVE-2024-6874", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:25:51.575Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2604391", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240822-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-22T18:03:17.766Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2604391", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.111Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-6874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T16:13:40.560966Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*"], "vendor": "curl", "product": "libcurl", "versions": [{"status": "affected", "version": "8.8.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:16:31.062Z"}}], "cna": {"title": "macidn punycode buffer overread", "credits": [{"lang": "en", "type": "finder", "value": "z2_"}, {"lang": "en", "type": "remediation developer", "value": "z2_"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.8.0", "versionType": "semver", "lessThanOrEqual": "8.8.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www"}, {"url": "https://hackerone.com/reports/2604391", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}], "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-126 Buffer Over-read "}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:36:26.887Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6874", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:45:38.111Z", "dateReserved": "2024-07-18T03:37:32.294Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2024-07-24T07:36:26.887Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "759E33B7-1F1E-4050-A400-A2176BF35469", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}, {"lang": "es", "value": "La funci\u00f3n API de URL de libcurl [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) ofrece conversiones punycode, hacia y desde IDN. Al solicitar convertir un nombre que tiene exactamente 256 bytes, libcurl termina leyendo fuera de un b\u00fafer en la regi\u00f3n stack de la memoria cuando se construye para usar el backend IDN *macidn*. Luego, la funci\u00f3n de conversi\u00f3n llena exactamente el b\u00fafer proporcionado, pero no termina en nulo la cadena. Esta falla puede provocar que el contenido de la pila se devuelva accidentalmente como parte de la cadena convertida."}], "id": "CVE-2024-6874", "lastModified": "2024-09-10T15:27:04.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-24T08:15:03.413", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6874.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6874.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Exploit", "Issue Tracking", "Technical Description"], "url": "https://hackerone.com/reports/2604391"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "curl: macidn punycode buffer overread", "id": "2299654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299654"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-126", "details": ["libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.", "A buffer overread vulnerability was found in Curl's URL API function curl_url_get(). This issue allows a remote attacker to obtain sensitive information due to a punycode buffer overread flaw. By sending a specially crafted request, an attacker can gain sensitive information and potentially launch further attacks against the affected system."], "name": "CVE-2024-6874", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-07-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6874\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6874\nhttps://curl.se/docs/CVE-2024-6874.html\nhttps://curl.se/docs/CVE-2024-6874.json\nhttps://hackerone.com/reports/2604391"], "statement": "This bug was introduced in the Curl 8.8.0 release. However, Red Hat has not yet included Curl 8.8.0 in any of its products.\nAdditionally, since this vulnerability only affects MacOS builds, Red Hat remains unaffected.", "threat_severity": "Low"}