Vonage/vonage-python-code-snippets

idna-2.7-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

mend-for-github-com opened this issue · 1 comments

mend-for-github-com commented
Vulnerable Library - idna-2.7-py2.py3-none-any.whl

Internationalized Domain Names in Applications (IDNA)

Library home page: https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (idna version) Remediation Possible** Reachability
CVE-2024-3651 High 7.5 Not Defined 0.0% idna-2.7-py2.py3-none-any.whl Direct idna - 3.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-3651

Vulnerable Library - idna-2.7-py2.py3-none-any.whl

Internationalized Domain Names in Applications (IDNA)

Library home page: https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl

Path to dependency file: /sms/verify-signed-sms/requirements.txt

Path to vulnerable library: /sms/verify-signed-sms/requirements.txt,/requirements.txt

Dependency Hierarchy:

  • idna-2.7-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was identified in the kjd/idna library, specifically within the idna.encode() function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the idna.encode() function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

Publish Date: 2024-07-07

URL: CVE-2024-3651

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-3651

Release Date: 2024-07-07

Fix Resolution: idna - 3.7

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

mend-for-github-com commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.