Skip to main content
Version: latest

CVE-2024-3651

CVE Details

Visit the official vulnerability details page for CVE-2024-3651 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

python-pip-whl

NIST CVE Summary

A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

CVE Severity

7.5

Our Official Summary

The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability.

Risk of exploitation of this vulnerability for our products is low, since accessing this command line utility requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.11✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.10✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.8✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.5✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.4✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.4.20✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
11/19/2024Status changed from Open to Ongoing
11/19/2024Official summary revised: The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). Itallows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions priorto 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent theresource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level applicationperforming input validation. Upgrade the package to > 3.7 version to fix the vulnerability.Risk of exploitation of this vulnerability for our products is low, since accessing this command line utility requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5