CVE-2024-24806

2024-02-0700:00:00

ubuntu.com

libuv

uv_getaddrinfo

hostname truncation

getaddrinfo

ssrf

vulnerability

release 1.48.0

upgrade

internal apis

malicious user

bugreport

unix

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

37.0%

JSON

libuv is a multi-platform support library with a focus on asynchronous I/O.
The uv_getaddrinfo function in src/unix/getaddrinfo.c (and its windows
counterpart src/win/getaddrinfo.c), truncates hostnames to 256 characters
before calling getaddrinfo. This behavior can be exploited to create
addresses like 0x00007f000001, which are considered valid by
getaddrinfo and could allow an attacker to craft payloads that resolve to
unintended IP addresses, bypassing developer checks. The vulnerability
arises due to how the hostname_ascii variable (with a length of 256
bytes) is handled in uv_getaddrinfo and subsequently in
uv__idna_toascii. When the hostname exceeds 256 characters, it gets
truncated without a terminating null byte. As a result attackers may be
able to access internal APIs or for websites (similar to MySpace) that
allows users to have username.example.com pages. Internal services that
crawl or cache these user pages can be exposed to SSRF attacks if a
malicious user chooses a long vulnerable username. This issue has been
addressed in release version 1.48.0. Users are advised to upgrade. There
are no known workarounds for this vulnerability.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484>

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchlibuv1< 1.34.2-1ubuntu1.5UNKNOWN
ubuntu22.04noarchlibuv1< 1.43.0-1ubuntu0.1UNKNOWN
ubuntu23.10noarchlibuv1< 1.44.2-1ubuntu0.1UNKNOWN