Skip to main content
Version: latest

CVE-2024-3651

CVE Details

CVE-2024-3651

Last Update

9/15/24

NIST CVE Summary

A vulnerability was identified in the kjd/idna library, specifically within the idna.encode() function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the idna.encode() function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

Our Official Summary

The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability.

CVE Severity

7.5

Status

Ongoing

Affected Products & Versions

  • Palette VerteX 4.4.18

Revision History

  • 1.0 9/13/2024 Initial Publication
  • 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products