7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.0%
A server-side request forgery (SSRF) flaw was found in the libuv package due to how the hostname_ascii
variable is handled in uv_getaddrinfo
and uv__idna_toascii
. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result, attackers may be able to access internal APIs or for websites that allow users to have username.example.com
pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
bugzilla.redhat.com/show_bug.cgi?id=2263292
github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
nvd.nist.gov/vuln/detail/CVE-2024-24806
www.chainguard.dev/unchained/unpacking-libuvs-cve-2024-24806-software-dark-matter-will-go-under-the-radar-not-in-chainguard-images-tho
www.cve.org/CVERecord?id=CVE-2024-24806
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.0%