CVE-2024-6874

libcurl's URL API function
[curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode
conversions, to and from IDN. Asking to convert a name that is exactly 256
bytes, libcurl ends up reading outside of a stack based buffer when built to
use the *macidn* IDN backend. The conversion function then fills up the
provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of
the converted string.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
curlCNA
---
---
CISA-ADPADP
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
haxxlibcurl
8.8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
not-affected
bookworm
7.88.1-10+deb12u12
not-affected
bullseye (security)
7.74.0-1.3+deb11u14
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.13.0-5
fixed
trixie
8.13.0-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
oracular
not-affected
noble
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/07/24/2
https://curl.se/docs/CVE-2024-6874.html
https://curl.se/docs/CVE-2024-6874.json
https://hackerone.com/reports/2604391
http://www.openwall.com/lists/oss-security/2024/07/24/2
https://curl.se/docs/CVE-2024-6874.html
https://curl.se/docs/CVE-2024-6874.json
https://hackerone.com/reports/2604391
https://security.netapp.com/advisory/ntap-20240822-0004/