Improper Input Validation Affecting libidn2 Open this link in a new tab package, versions *

Although NVD CVSS Score is: 7.5 (High), when available we recommend using the distro's own rating score.

Attack Complexity

Low
Integrity

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-DEBIAN10-LIBIDN2-474100
published

23 Oct 2019
disclosed

22 Oct 2019

Report a new vulnerability Found a mistake?

Introduced: 22 Oct 2019

CVE-2019-12290 Open this link in a new tab CWE-20 Open this link in a new tab

How to fix?

There is no fixed version for Debian:10 libidn2.

NVD Description

Note: Versions mentioned in the description apply to the upstream libidn2 package.

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

Improper Input Validation Affecting libidn2 Open this link in a new tab package, versions *

Attack Complexity

Integrity

snyk-id

published

disclosed

Introduced: 22 Oct 2019

How to fix?

NVD Description

References