Search for vulnerabilities
Vulnerability details: VCID-s66m-g9a8-aaaf
Vulnerability ID VCID-s66m-g9a8-aaaf
Aliases CVE-2024-6874
Summary libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN backend. The conversion function then fills up the provided buffer exactly - but does not null terminate the string. This flaw can lead to stack contents accidently getting returned as part of the converted string.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-126 Buffer Over-read
CWE-125 Out-of-bounds Read
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6874.json
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00079 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00084 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00084 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00084 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00084 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.0014 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00143 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00143 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00186 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00187 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00187 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00187 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00202 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00237 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
epss 0.00543 https://api.first.org/data/v1/epss?cve=CVE-2024-6874
cvssv3.1 Low https://curl.se/docs/CVE-2024-6874.html
cvssv3 4.3 https://nvd.nist.gov/vuln/detail/CVE-2024-6874
cvssv3.1 4.3 https://nvd.nist.gov/vuln/detail/CVE-2024-6874
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6874.json
https://api.first.org/data/v1/epss?cve=CVE-2024-6874
https://curl.se/docs/CVE-2024-6874.html
https://curl.se/docs/CVE-2024-6874.json
https://hackerone.com/reports/2604391
https://security.netapp.com/advisory/ntap-20240822-0004/
http://www.openwall.com/lists/oss-security/2024/07/24/2
1076996 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076996
2299654 https://bugzilla.redhat.com/show_bug.cgi?id=2299654
cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:libcurl:8.8.0:*:*:*:*:*:*:*
CVE-2024-6874 https://nvd.nist.gov/vuln/detail/CVE-2024-6874
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6874.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-6874
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-6874
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.35319
EPSS Score 0.00079
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-07-24T12:56:35.163747+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 34.0.0rc4