{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-6874", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-07-18T03:37:32.294Z", "datePublished": "2024-07-24T07:36:26.887Z", "dateUpdated": "2024-08-22T18:03:17.766Z"}, "containers": {"cna": {"title": "macidn punycode buffer overread", "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:36:26.887Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-126 Buffer Over-read "}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.8.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www"}, {"url": "https://hackerone.com/reports/2604391", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}], "credits": [{"lang": "en", "value": "z2_", "type": "finder"}, {"lang": "en", "value": "z2_", "type": "remediation developer"}]}, "adp": [{"affected": [{"vendor": "curl", "product": "libcurl", "cpes": ["cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "8.8.0", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-24T16:13:40.560966Z", "id": "CVE-2024-6874", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:25:51.575Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2604391", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240822-0004/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-22T18:03:17.766Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2604391", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.111Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-6874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-24T16:13:40.560966Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:curl:libcurl:8.8.0:*:*:*:*:*:*:*"], "vendor": "curl", "product": "libcurl", "versions": [{"status": "affected", "version": "8.8.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T16:16:31.062Z"}}], "cna": {"title": "macidn punycode buffer overread", "credits": [{"lang": "en", "type": "finder", "value": "z2_"}, {"lang": "en", "type": "remediation developer", "value": "z2_"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.8.0", "versionType": "semver", "lessThanOrEqual": "8.8.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-6874.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-6874.html", "name": "www"}, {"url": "https://hackerone.com/reports/2604391", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}], "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-126 Buffer Over-read "}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-24T07:36:26.887Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6874", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:45:38.111Z", "dateReserved": "2024-07-18T03:37:32.294Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2024-07-24T07:36:26.887Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "759E33B7-1F1E-4050-A400-A2176BF35469", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\n\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string."}, {"lang": "es", "value": "La funci\u00f3n API de URL de libcurl [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) ofrece conversiones punycode, hacia y desde IDN. Al solicitar convertir un nombre que tiene exactamente 256 bytes, libcurl termina leyendo fuera de un b\u00fafer en la regi\u00f3n stack de la memoria cuando se construye para usar el backend IDN *macidn*. Luego, la funci\u00f3n de conversi\u00f3n llena exactamente el b\u00fafer proporcionado, pero no termina en nulo la cadena. Esta falla puede provocar que el contenido de la pila se devuelva accidentalmente como parte de la cadena convertida."}], "id": "CVE-2024-6874", "lastModified": "2024-09-10T15:27:04.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-24T08:15:03.413", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/07/24/2"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6874.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2024-6874.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Exploit", "Issue Tracking", "Technical Description"], "url": "https://hackerone.com/reports/2604391"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "curl: macidn punycode buffer overread", "id": "2299654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2299654"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-126", "details": ["libcurl's URL API function\n[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode\nconversions, to and from IDN. Asking to convert a name that is exactly 256\nbytes, libcurl ends up reading outside of a stack based buffer when built to\nuse the *macidn* IDN backend. The conversion function then fills up the\nprovided buffer exactly - but does not null terminate the string.\nThis flaw can lead to stack contents accidently getting returned as part of\nthe converted string.", "A buffer overread vulnerability was found in Curl's URL API function curl_url_get(). This issue allows a remote attacker to obtain sensitive information due to a punycode buffer overread flaw. By sending a specially crafted request, an attacker can gain sensitive information and potentially launch further attacks against the affected system."], "name": "CVE-2024-6874", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-07-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-6874\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6874\nhttps://curl.se/docs/CVE-2024-6874.html\nhttps://curl.se/docs/CVE-2024-6874.json\nhttps://hackerone.com/reports/2604391"], "statement": "This bug was introduced in the Curl 8.8.0 release. However, Red Hat has not yet included Curl 8.8.0 in any of its products.\nAdditionally, since this vulnerability only affects MacOS builds, Red Hat remains unaffected.", "threat_severity": "Low"}