CVE-2024-3651

Published: 23 April 2024

A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

Notes

On focal and earlier, the python-pip package bundles
python-idna binaries when built. After updating
python-idna, a no-change rebuild of python-pip is required.
On jammy and later, python-idna is bundled in the python-pip
package and needs to be patched.

Status

Severity score breakdown

References

• https://www.cve.org/CVERecord?id=CVE-2024-3651
• https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
• https://ubuntu.com/security/notices/USN-6780-1
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069127
• https://bugzilla.redhat.com/show_bug.cgi?id=2274779
• https://github.com/kjd/idna/issues/175