{"id":"CVE-2019-12290","details":"GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.","modified":"2026-04-16T04:40:07.735384167Z","published":"2019-10-22T16:15:10.877Z","related":["CGA-3386-58h9-9qmw","SUSE-SU-2019:3086-1","openSUSE-SU-2019:2611-1","openSUSE-SU-2019:2613-1","openSUSE-SU-2024:10950-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KXDKYWFV6N2HHVSE67FFDM7G3FEL2ZNE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSI4TI2JTQWQ3YEUX5X36GTVGKO4QKZ5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6ZXL2RDNQRAHCMKWPOMJFKYJ344X4HL/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFT76Y7OSGPZV3EBEHD6ISVUM3DLARM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONG3GJRRJO35COPGVJXXSZLU4J5Y42AT/"},{"type":"WEB","url":"https://usn.ubuntu.com/4168-1/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-63"},{"type":"ADVISORY","url":"https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de"},{"type":"FIX","url":"https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5"},{"type":"FIX","url":"https://gitlab.com/libidn/libidn2/merge_requests/71"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/libidn/libidn2","events":[{"introduced":"0"},{"fixed":"3db6427d9ef42483405bfa75f234792ac073239e"},{"fixed":"241e8f486134793cb0f4a5b0e5817a97883401f5"},{"fixed":"614117ef6e4c60e1950d742e3edf0a0ef8d389de"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.0"}]}}],"versions":["2.2.0","libidn2-0.10","libidn2-0.11","libidn2-0.12","libidn2-0.13","libidn2-0.14","libidn2-0.15","libidn2-0.16","libidn2-0.3","libidn2-0.4","libidn2-0.5","libidn2-0.6","libidn2-0.7","libidn2-0.8","libidn2-0.9","libidn2-2.0.0","libidn2-2.0.1","libidn2-2.0.2","libidn2-2.0.3","libidn2-2.0.4","libidn2-2.0.5","libidn2-2.1.0","libidn2-2.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12290.json","vanir_signatures_modified":"2026-04-11T12:42:21Z","vanir_signatures":[{"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5","signature_version":"v1","target":{"file":"lib/lookup.c"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["187845366280205581554916051824304641025","289222033461961251682366936354811810929","189921928984123963418844635464376916147","32322299586069872753104641615897259259","68915996413258629746358493254944318128","295730367312914004971153892094774148693","264258165042914839397875976476724874954","163321080620791167400093219107764732189","178771355685605208775915253908940624378","161537723658831945381105479310787500612","336132514217847844897387324679739871341","125593242869440476194307051446470131116","141317671660914381322152364271358431871","214631645719211984927038159192097519376","266587475166497327939218941668200906676","314523723662684879250557283871182831196","143571233016551291613287419848004828171","334350992102930038829101961090464646085","259178560879546280548176550449865355486","228263717062548974924835271169699422705","209557075922360947708273955807601980744","298927573849399498727933349449060804764","200870642929510662551358979060379372946","83154842888797228375984819460951751371","56736669590484047371391910641074305236","312501796626787656415207348311880419549","238390847104470054703256634220722141936","178699996317677438489876796129231280301","265343990960947131591128169558107137289","20924633486555631153636335400639628014","319020322763427148370536823242309996558","37599245625922652816097075900812637469","140851693938537637181819694478675077710","162637764160326715175583723161150223839","81206057916669312551064521823174789034","90795475823384253914073336123682738196"],"threshold":0.9},"id":"CVE-2019-12290-34a4fb6a"},{"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5","signature_version":"v1","target":{"function":"label","file":"lib/lookup.c"},"deprecated":false,"signature_type":"Function","digest":{"length":1237,"function_hash":"196589049652805566618349219444565166789"},"id":"CVE-2019-12290-3a2bea05"},{"id":"CVE-2019-12290-47d0524e","signature_version":"v1","target":{"function":"usage","file":"src/idn2.c"},"signature_type":"Function","deprecated":false,"digest":{"length":1609,"function_hash":"158323192680532173773353355260575223296"},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"},{"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5","signature_version":"v1","target":{"function":"main","file":"src/idn2.c"},"signature_type":"Function","deprecated":false,"digest":{"length":1689,"function_hash":"132847353310256968026952805416658069944"},"id":"CVE-2019-12290-7b9c9ae2"},{"id":"CVE-2019-12290-88729c3d","signature_version":"v1","target":{"file":"src/blurbs.h"},"deprecated":false,"signature_type":"Line","digest":{"line_hashes":["114932952402425713695135804304977684576"],"threshold":0.9},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"},{"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5","signature_version":"v1","target":{"function":"idn2_strerror_name","file":"lib/error.c"},"signature_type":"Function","deprecated":false,"digest":{"length":1929,"function_hash":"312356779681248897141270467858749709960"},"id":"CVE-2019-12290-89f31ec5"},{"id":"CVE-2019-12290-a1de27eb","signature_version":"v1","target":{"file":"lib/error.c"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["66902672545539146513614053349137977493","35705142242873268246961906559538162778","92553056929671371861616070084439320737","54063827184499356904768052335394235904","41592960057154531973644757130155655068","184195417186434568414504093915641920336","53637315937563157046328503246039279430","91854151707641435040215239355893114590"],"threshold":0.9},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"},{"id":"CVE-2019-12290-a7b50d06","signature_version":"v1","target":{"function":"idn2_strerror","file":"lib/error.c"},"deprecated":false,"signature_type":"Function","digest":{"length":2571,"function_hash":"87491573228088904306321158771688506918"},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"},{"id":"CVE-2019-12290-ca931a85","signature_version":"v1","target":{"function":"set_default_flags","file":"lib/lookup.c"},"signature_type":"Function","deprecated":false,"digest":{"length":403,"function_hash":"16217450268485728176248901353893967410"},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"},{"id":"CVE-2019-12290-ede97f5a","signature_version":"v1","target":{"file":"src/idn2.c"},"deprecated":false,"signature_type":"Line","digest":{"line_hashes":["166885763631888406267131528687096582745","134367394057071990490085530265912699219","214378052207718936395517494157405438190","232115736145380109018108751105545165544","224698098182131758138671533896448875293","259038086519496779361696632459998164591","6114980826271067092645779402511071784","89644263389340556783706497584888941590","165727711777409542780179600632295041520","26230735817845700437729811762211287753","32912217945566229435583919163839432422","279461692832200392842104054395391354798","315064635494576614957724199126787903121","132472155916234525831925478258186666183","142262658041150698465307422285829635768","127809624820878683290662984068786164174","310772457680198278739071035262824120750","6059200163761477374636826095744790818","199068233433028341871381895255198024036","75417734971841325643407933153858414668","331623842480580273871638426298658246517"],"threshold":0.9},"source":"https://gitlab.com/libidn/libidn2@241e8f486134793cb0f4a5b0e5817a97883401f5"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}