Incorrect Comparison Affecting idna package, versions <1.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-IDNA-8492394
- published10 Dec 2024
- disclosed9 Dec 2024
- creditkageshiron
Introduced: 9 Dec 2024
NewCVE-2024-12224 (opens in a new tab)How to fix?
Upgrade idna to version 1.0.0 or higher.
Overview
idna is an IDNA library for Rust implementing UTS 46: Unicode IDNA Compatibility Processing as parametrized by the WHATWG URL Standard.
Affected versions of this package are vulnerable to Incorrect Comparison through the decoding process. An attacker can manipulate hostname comparisons to escalate privileges in applications using idna by introducing DNS entries and TLS certificates for masked names that are processed incorrectly.
Notes:
This is only exploitable if the host name comparison is part of a privilege check and the behavior is combined with a client that resolves domains with such labels instead of treating them as errors that preclude DNS resolution / URL fetching and with the attacker managing to introduce a DNS entry (and TLS certificate) for an xn---masked name that turns into the name of the target when processed by idna.
This issue was fixed in idna 1.0.0, but versions earlier than 1.0.3 are not recommended for other reasons.
If Rust earlier than 1.81 is used in combination with SQLx 0.8.2 or earlier, it is recommended to read this issue about combining them with url 2.5.4 and idna 1.0.3.