PT-2019-4767 · Gnu+4 · Libidn2+4

Published

2019-05-23

·

Updated

2019-12-31

·

CVE-2019-12290

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions GNU libidn2 versions prior to 2.2.0
Description The issue exists due to insufficient input validation in the RFC3490 component of the Libidn2 library. This can be exploited by a remote attacker to create a malicious domain that impersonates a target domain. By creating a domain that matches the target except for certain Unicode characters encoded in punycode, an attacker can impersonate arbitrary domains.
Recommendations For GNU libidn2 versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of punycode conversions to minimize the risk of domain impersonation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2019-1902
ALT-PU-2019-1908
BDU:2020-01339
CVE-2019-12290
MGASA-2019-0416
OPENSUSE-SU-2019:2611-1
OPENSUSE-SU-2019:2613-1
OPENSUSE-SU-2019_2611-1
OPENSUSE-SU-2019_2613-1
OPENSUSE-SU-2024:10950-1
SUSE-SU-2019:3086-1
SUSE-SU-2019_3086-1
USN-4168-1

Affected Products

Alt Linux
Astra Linux
Suse
Ubuntu
Libidn2