CVE-2024-3651
CVE Details
Last Update
9/15/24
NIST CVE Summary
A vulnerability was identified in the kjd/idna library, specifically within the idna.encode()
function, affecting
version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic
complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that
causes the idna.encode()
function to process the input with considerable computational load, significantly increasing
the processing time in a quadratic manner relative to the input size.
Our Official Summary
The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX 4.4.18
Revision History
- 1.0 9/13/2024 Initial Publication
- 2.0 9/13/2024 Added Palette VerteX 4.4.18 to Affected Products