QwikSec

Security Database

CVE

CWE

Training

CVE-2019-12290

Published: Oct 22, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://gitlab.com/libidn/libidn2/merge_requests/71

x_refsource_MISC

https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5

x_refsource_MISC

https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

FEDORA-2019-f454c7a118

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-20e9736c97

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-28d3cd20c0

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-1ebb5c928e

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2019:2611

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2613

vendor-advisory

x_refsource_SUSE

FEDORA-2019-160303ebeb

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.