CVE-2019-12290

CWE-20Improper Input Validation8 documents7 sources
Severity
7.5HIGH
EPSS
2.9%
top 13.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Libidn2
Timeline
PublishedOct 22
Latest updateMay 24

Description

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgnu/libidn2< 2.2.0
Debianlibidn2< 2.2.0-1+3
Ubuntulibidn2< 2.0.4-1.1ubuntu0.2

Patches

Patch: gitlab.comPatch: gitlab.comPatch: gitlab.com

🔴Vulnerability Details

4
GHSA
GHSA-5pjp-55fh-7frw: GNU libidn2 before 22022-05-24
OSV
libidn2 vulnerabilities2019-10-29
OSV
CVE-2019-12290: GNU libidn2 before 22019-10-22
CVEList
CVE-2019-12290: GNU libidn2 before 22019-10-22

📋Vendor Advisories

2
Ubuntu
Libidn2 vulnerabilities2019-10-29
Debian
CVE-2019-12290: libidn2 - GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3...2019

💬Community

1
Bugzilla
CVE-2019-12290 libidn2: Improper roundtrip checks when converting A-labels to U-labels2019-10-22
CVE-2019-12290 (HIGH CVSS 7.5) | GNU libidn2 before 2.2.0 fails to p | cvebase.io