CVE-2024-24806

CVSS 3.1 Score 7.3 of 10 (high)

Details

Published Feb 7, 2024
Updated: Mar 5, 2024
CWE ID 918

Summary

CVE-2024-24806 is a vulnerability in the libuv library, affecting multiple products. The vulnerability arises from the truncation of hostnames to 256 characters before calling getaddrinfo, which can be exploited by attackers to create addresses like 0x00007f000001. This could allow them to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The issue stems from how the hostname_ascii variable is handled in uv_getaddrinfo and subsequently in uv__idna_toascii, where hostnames exceeding 256 characters get truncated without a terminating null byte. This vulnerability poses a potential danger to organizations as it could enable attackers to access internal APIs or expose internal services to Server Side Request Forgery (SSRF) attacks. Remediation for this vulnerability involves updating libuv library versions to ones that address this issue. The severity of this vulnerability is rated as HIGH with a base score of 7.3 according to CVE analysis data from nvd@nist.gov.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-24806 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options