CVE-2024-12224

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

CVSS

No CVSS.

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
https://rustsec.org/advisories/RUSTSEC-2024-0421.html
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898

Configurations

No configuration.

History

30 May 2025, 13:15

Type	Values Removed	Values Added
Summary		(es) La validación incorrecta de equivalencia insegura en punycode por parte del crate idna de Servo rust-url permite que un atacante cree un nombre de host punycode que una parte de un sistema podría tratar como distinto mientras que otra parte de ese sistema trataría como equivalente a otro nombre de host.
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 -

30 May 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 02:15

Updated : 2025-05-30 16:31

NVD link : CVE-2024-12224

Mitre link : CVE-2024-12224

CVE.ORG link : CVE-2024-12224

JSON object : View

Products Affected

No product.

CWE

CWE-1289

Improper Validation of Unsafe Equivalence in Input

{"id": "CVE-2024-12224", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@mozilla.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T02:15:19.670", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898", "source": "security@mozilla.org"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2024-0421.html", "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@mozilla.org", "description": [{"lang": "en", "value": "CWE-1289"}]}], "descriptions": [{"lang": "en", "value": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname."}, {"lang": "es", "value": "La validaci\u00f3n incorrecta de equivalencia insegura en punycode por parte del crate idna de Servo rust-url permite que un atacante cree un nombre de host punycode que una parte de un sistema podr\u00eda tratar como distinto mientras que otra parte de ese sistema tratar\u00eda como equivalente a otro nombre de host."}], "lastModified": "2025-05-30T16:31:03.107", "sourceIdentifier": "security@mozilla.org"}