GHSA-jjg7-2v4v-x38h

Suggest an improvement
Source
https://github.com/advisories/GHSA-jjg7-2v4v-x38h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-jjg7-2v4v-x38h/GHSA-jjg7-2v4v-x38h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jjg7-2v4v-x38h
Aliases
Related
Published
2024-04-11T21:32:40Z
Modified
2024-09-11T06:13:10.004325Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
Details

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

  • https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
References

Affected packages

PyPI / idna

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9

1.*

1.0
1.1

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10

3.*

3.0
3.1
3.2
3.3
3.4
3.5
3.6