Bugzilla – Bug 1219724
VUL-0: CVE-2024-24806: libuv: libuv: Improper Domain Lookup that potentially leads to SSRF attacks
Last modified: 2024-07-23 09:00:05 UTC
libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24806 https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 https://www.cve.org/CVERecord?id=CVE-2024-24806 https://bugzilla.redhat.com/show_bug.cgi?id=2263292 Patch: https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70 https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39 https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
Tracking as affected: -openSUSE:Factory/libuv -SUSE:SLE-15-SP5:Update/libuv -SUSE:ALP:Source:Standard:1.0/libuv
This is an autogenerated message for OBS integration: This bug (1219724) was mentioned in https://build.opensuse.org/request/show/1147152 Factory / nodejs20
SUSE-SU-2024:0644-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219724, 1219992, 1219993, 1219997, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21892, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: Web and Scripting Module 12 (src): nodejs18-18.19.1-8.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0643-1: An update that solves 10 vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1219152, 1219724, 1219992, 1219993, 1219994, 1219995, 1219997, 1219998, 1219999, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21890, CVE-2024-21891, CVE-2024-21892, CVE-2024-21896, CVE-2024-22017, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: openSUSE Leap 15.5 (src): nodejs20-20.11.1-150500.11.6.1 Web and Scripting Module 15-SP5 (src): nodejs20-20.11.1-150500.11.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0730-1: An update that solves six vulnerabilities can now be installed. Category: security (important) Bug References: 1219724, 1219992, 1219993, 1219997, 1220014, 1220017 CVE References: CVE-2023-46809, CVE-2024-21892, CVE-2024-22019, CVE-2024-22025, CVE-2024-24758, CVE-2024-24806 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): nodejs18-18.19.1-150400.9.18.2 SUSE Manager Server 4.3 (src): nodejs18-18.19.1-150400.9.18.2 openSUSE Leap 15.4 (src): nodejs18-18.19.1-150400.9.18.2 openSUSE Leap 15.5 (src): nodejs18-18.19.1-150400.9.18.2 Web and Scripting Module 15-SP5 (src): nodejs18-18.19.1-150400.9.18.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Looks like we missed the libuv version bump since 2024-02-27: https://build.opensuse.org/request/show/1163780
This is an autogenerated message for OBS integration: This bug (1219724) was mentioned in https://build.opensuse.org/request/show/1164081 Factory / libuv
Hi. Will we get an update for libuv in SLES15-SP5?