Server-Side Request Forgery (SSRF) in libuv - CVE-2024-24806
Published: February 22, 2024 / Updated: February 22, 2024
libuv
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling hostnames longer than 256 characters within the uv_getaddrinfo() function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c. A remote attacker can pass a specially crafted hostname to the application, which can be resolved to an attacker controlled IP address and initiate unauthorized requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
How to mitigate CVE-2024-24806
Sources
- https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
- https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
- https://github.com/libuv/libuv/commit/3530bcc30350d4a6ccf35d2f7b33e23292b9de70
- https://github.com/libuv/libuv/commit/c858a147643de38a09dd4164758ae5b685f2b488
- https://github.com/libuv/libuv/commit/e0327e1d508b8207c9150b6e582f0adf26213c39
- http://www.openwall.com/lists/oss-security/2024/02/08/2
- http://www.openwall.com/lists/oss-security/2024/02/11/1