Vulnerability Details : CVE-2019-12290
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
Vulnerability category: Input validation
Products affected by CVE-2019-12290
- cpe:2.3:a:gnu:libidn2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12290
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12290
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-12290
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12290
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6ZXL2RDNQRAHCMKWPOMJFKYJ344X4HL/
[SECURITY] Fedora 31 Update: libidn2-2.3.0-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5
Perform A-Label roundtrip for lookup functions by default (241e8f48) · Commits · libidn / libidn2 · GitLabPatch;Third Party Advisory
-
https://usn.ubuntu.com/4168-1/
USN-4168-1: Libidn2 vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
[security-announce] openSUSE-SU-2019:2613-1: moderate: Security update f
-
https://security.gentoo.org/glsa/202003-63
GNU IDN Library 2: Multiple vulnerabilities (GLSA 202003-63) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSI4TI2JTQWQ3YEUX5X36GTVGKO4QKZ5/
[SECURITY] Fedora 31 Update: mingw-libidn2-2.3.0-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ONG3GJRRJO35COPGVJXXSZLU4J5Y42AT/
[SECURITY] Fedora 30 Update: libidn2-2.3.0-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://gitlab.com/libidn/libidn2/merge_requests/71
Perform A-Label roundtrip for lookup functions by default (!71) · Merge Requests · libidn / libidn2 · GitLabPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXDKYWFV6N2HHVSE67FFDM7G3FEL2ZNE/
[SECURITY] Fedora 29 Update: mingw-libidn2-2.3.0-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFT76Y7OSGPZV3EBEHD6ISVUM3DLARM/
[SECURITY] Fedora 30 Update: mingw-libidn2-2.3.0-1.fc30 - package-announce - Fedora Mailing-Lists
-
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
[security-announce] openSUSE-SU-2019:2611-1: moderate: Security update f
-
https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de
Update NEWS for CVE-2019-12290 (614117ef) · Commits · libidn / libidn2 · GitLabThird Party Advisory
Jump to