CVE-2024-3651
CVE Details
Visit the official vulnerability details page for CVE-2024-3651 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
python-pip-whl
NIST CVE Summary
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.
CVE Severity
Our Official Summary
The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the resource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level application performing input validation. Upgrade the package to > 3.7 version to fix the vulnerability.
Risk of exploitation of this vulnerability for our products is low, since accessing this command line utility requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.
Status
Ongoing
Affected Products & Versions
Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
---|---|---|---|---|
4.5.15 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.5.11 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.5.10 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.5.8 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.5.5 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.5.4 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
4.4.20 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
Revision History
Date | Revision |
---|---|
12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
11/19/2024 | Status changed from Open to Ongoing |
11/19/2024 | Official summary revised: The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). Itallows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions priorto 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent theresource consumption issue. However, this workaround may not be foolproof as it relies on the higher-level applicationperforming input validation. Upgrade the package to > 3.7 version to fix the vulnerability.Risk of exploitation of this vulnerability for our products is low, since accessing this command line utility requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available. |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |