ALPINE-CVE-2024-6874

Source
https://security.alpinelinux.org/vuln/CVE-2024-6874
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json
JSON Data
https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2024-6874
Upstream
Published
2024-07-24T08:15:03.413Z
Modified
2026-06-15T18:18:09.565361859Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

libcurl's URL API function curlurlget() offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the macidn IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string.

This flaw can lead to stack contents accidently getting returned as part of the converted string.

References

Affected packages

Alpine:v3.17
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.18
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.19
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.20
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.21
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.22
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.23
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"
Alpine:v3.24
curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.9.0-r0

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-6874.json"