Vulnerability Description
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Libidn2 | < 2.2.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
- https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401fPatchThird Party Advisory
- https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389dThird Party Advisory
- https://gitlab.com/libidn/libidn2/merge_requests/71PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202003-63
- https://usn.ubuntu.com/4168-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
- https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401fPatchThird Party Advisory
FAQ
What is CVE-2019-12290?
CVE-2019-12290 is a vulnerability with a CVSS score of 7.5 (HIGH). GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to imp...
How severe is CVE-2019-12290?
CVE-2019-12290 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12290?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Libidn2.