{
  "threat_severity" : "Moderate",
  "public_date" : "2024-05-03T00:00:00Z",
  "bugzilla" : {
    "description" : "uriparser: integer overflow via long keys or values in ComposeQueryEngine() in UriQuery.c",
    "id" : "2278807",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2278807"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-190->CWE-120",
  "details" : [ "An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.", "An integer overflow issue was found in Uriparser in the ComposeQueryEngine() function in UriQuery.c. This function computes the space needed for composing a query string. However, it encounters an integer overflow issue when handling large key or value lengths, potentially leading to incorrect memory allocations or operations due to malformed size calculations. This flaw allows attackers to crash the application, resulting in a denial of service." ],
  "statement" : "We do not distribute this package in RHEL 8, 9, and 10. Additionally, RHEL 7 is no longer within the scope of our supported versions.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "uriparser",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-34402\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-34402" ],
  "name" : "CVE-2024-34402",
  "csaw" : false
}