The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(xn–example-.com) incorrectly returns the name example.com rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject example.com but permit xn–example-.com. If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name example.com.
The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Net | Golang | * | 0.55.0 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | git-lfs-0:3.7.1-5.el10_2.5 | * |
| Red Hat Enterprise Linux 10 | RedHat | opentelemetry-collector-0:0.152.1-1.el10_2 | * |
| Red Hat Enterprise Linux 10 | RedHat | grafana-pcp-0:5.3.0-7.el10_2 | * |
| Red Hat Enterprise Linux 10 | RedHat | grafana-0:10.2.6-27.el10_2 | * |
| Red Hat Enterprise Linux 10 | RedHat | golang-0:1.26.5-1.el10_2 | * |
| Red Hat Enterprise Linux 8 | RedHat | git-lfs-0:3.4.1-11.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | grafana-0:9.2.10-31.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | grafana-pcp-0:5.1.1-16.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | git-lfs-0:3.7.1-4.el9_8.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | opentelemetry-collector-0:0.152.1-1.el9_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | grafana-0:10.2.6-23.el9_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | grafana-pcp-0:5.1.1-17.el9_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | golang-0:1.26.5-1.el9_8 | * |
| Red Hat OpenShift Container Platform 4.22 | RedHat | ose-azure-acr-image-credential-provider-0:4.22.0-202606291123.p2.ga17a3e3.assembly.stream.el8 | * |
| RHEM 1.0 for RHEL 9 | RedHat | flightctl-0:1.0.3-1.el9em | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf4-rhel9:1782840519 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf5-rhel9:1782839981 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-pf6-rhel9:1782839193 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/distributed-tracing-console-plugin-rhel9:1782838753 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf4-rhel9:1782839279 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/logging-console-plugin-pf5-rhel9:1782840539 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-pf5-rhel9:1782844225 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-pf6-rhel9:1782839658 | * |
| Cluster Observability Operator 1.5.0 | RedHat | cluster-observability-operator/monitoring-console-plugin-rhel9:1782838476 | * |
| DevWorkspace Operator 0.42 | RedHat | devworkspace/devworkspace-rhel9-operator:1782401674 | * |
| Logging Subsystem for Red Hat OpenShift 6.4 | RedHat | openshift-logging/eventrouter-rhel9:1782408807 | * |
| Multicluster engine for Kubernetes 2.6 | RedHat | multicluster-engine/assisted-service-8-rhel8:1783332008 | * |
| Multicluster engine for Kubernetes 2.6 | RedHat | multicluster-engine/assisted-service-9-rhel9:1783333268 | * |
| Multicluster engine for Kubernetes 2.8 | RedHat | multicluster-engine/kube-rbac-proxy-mce-rhel9:1782477094 | * |
| Multicluster engine for Kubernetes 2.8 | RedHat | multicluster-engine/multicloud-manager-rhel9:1782308518 | * |
| Multicluster engine for Kubernetes 2.9 | RedHat | multicluster-engine/discovery-rhel9:1783260894 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/acm-grafana-rhel9:1782383730 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/acm-multicluster-observability-addon-rhel9:1782156698 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/acm-prometheus-config-reloader-rhel9:1782157632 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/acm-prometheus-rhel9:1782157829 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/cluster-backup-rhel9-operator:1782157630 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/endpoint-monitoring-rhel9-operator:1782382580 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/grafana-dashboard-loader-rhel9:1782383255 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/kube-rbac-proxy-rhel9:1782488873 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/kube-state-metrics-rhel9:1782157507 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/metrics-collector-rhel9:1782396604 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/multicluster-observability-rhel9-operator:1782382711 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/node-exporter-rhel9:1782157546 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/observatorium-rhel9:1782157471 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/observatorium-rhel9-operator:1782157018 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/prometheus-alertmanager-rhel9:1782156920 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/prometheus-rhel9:1782374537 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/rbac-query-proxy-rhel9:1782383676 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/thanos-receive-controller-rhel9:1782156860 | * |
| Red Hat Advanced Cluster Management for Kubernetes 2.13 | RedHat | rhacm2/thanos-rhel9:1782465412 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.10 | RedHat | advanced-cluster-security/rhacs-main-rhel8:1781686458 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.11 | RedHat | advanced-cluster-security/rhacs-main-rhel9:1783352589 | * |
| Red Hat Advanced Cluster Security for Kubernetes 4.9 | RedHat | advanced-cluster-security/rhacs-main-rhel8:1781686446 | * |
| Red Hat Edge Manager 1.0 | RedHat | rhem/flightctl-ui-rhel9:1783502438 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/disk-image-cuda-rhel9:1782804957 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-aws-cuda-rhel9:1782758407 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-azure-cuda-rhel9:1782758410 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-azure-rocm-rhel9:1782754093 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-cuda-rhel9:1782744816 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-gcp-cuda-rhel9:1782758409 | * |
| Red Hat Enterprise Linux AI 3.4 | RedHat | rhelai3/bootc-rocm-rhel9:1782744830 | * |
| Red Hat Hardened Images | RedHat | golang1-25-main-1.25.11-2.hum1 | * |
| Red Hat Hardened Images | RedHat | golang1-26-main-1.26.4-2.hum1 | * |
| Red Hat OpenShift Builds 1.7.4 | RedHat | openshift-builds/openshift-builds-controller-rhel9:1783057515 | * |
| Red Hat OpenShift Builds 1.7.4 | RedHat | openshift-builds/openshift-builds-waiters-rhel9:1783057868 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/cephcsi-rhel9:1782932114 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/cephcsi-rhel9-operator:1782931768 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/devicefinder-rhel9:1782932104 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/mcg-core-rhel9:1783536000 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/mcg-rhel9-operator:1783535989 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/ocs-client-console-rhel9:1783536515 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/ocs-client-rhel9-operator:1782932521 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/ocs-metrics-exporter-rhel9:1783018461 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/ocs-rhel9-operator:1783018421 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-blackbox-exporter-rhel9:1782932812 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-cli-rhel9:1783537001 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-cloudnative-pg-rhel9-operator:1782932919 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-console-rhel9:1783537586 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-cosi-sidecar-rhel9:1782932969 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-csi-addons-rhel9-operator:1782933015 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-csi-addons-sidecar-rhel9:1782933042 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-drbd-rhel9:1783537392 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-external-snapshotter-rhel9-operator:1782933235 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-external-snapshotter-sidecar-rhel9:1782933251 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-multicluster-console-rhel9:1783537955 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-multicluster-rhel9-operator:1782933417 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-must-gather-rhel9:1783537742 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odf-rhel9-operator:1782933602 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odr-rhel9-operator:1783019377 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odr-volsync-plugin-mover-rhel9:1782934054 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/odr-volsync-plugin-rhel9-operator:1782934036 | * |
| Red Hat Openshift Data Foundation 4.22 | RedHat | odf4/rook-ceph-rhel9-operator:1782934284 | * |
| Red Hat OpenShift Dev Spaces 3.29 | RedHat | devspaces/udi-rhel9:1782991491 | * |
| Red Hat OpenShift GitOps 1.19 | RedHat | openshift-gitops-1/dex-rhel8:1782292352 | * |
| Red Hat OpenShift GitOps 1.20 | RedHat | openshift-gitops-1/dex-rhel9:1782383826 | * |
| Red Hat OpenShift Service Mesh 2.6 | RedHat | openshift-service-mesh/kiali-rhel8:1782287580 | * |
| Red Hat OpenShift Service Mesh 3 | RedHat | openshift-service-mesh/kiali-rhel9:1782201833 | * |
| Red Hat OpenShift Service Mesh 3.1 | RedHat | openshift-service-mesh/kiali-rhel9:1782201537 | * |
| Red Hat OpenShift Service Mesh 3.2 | RedHat | openshift-service-mesh/kiali-rhel9:1782201812 | * |
| Red Hat OpenShift Service Mesh 3.3 | RedHat | openshift-service-mesh/kiali-rhel9:1782201466 | * |
| Red Hat Trusted Artifact Signer 1.4 | RedHat | conforma-cli-stack-v1-4-1.4.2 | * |
| Red Hat Trusted Artifact Signer 1.4 | RedHat | conforma-cli-stack-v1-4-1.4.2 | * |
| Golang-golang-x-net-dev | Ubuntu | esm-apps/bionic | * |
| Golang-golang-x-net-dev | Ubuntu | esm-apps/focal | * |
Attackers can sometimes bypass input validation schemes by finding inputs that appear to be safe, but will be dangerous when processed at a lower layer or by a downstream component. For example, a simple XSS protection mechanism might try to validate that an input has no “” tags using case-sensitive matching, but since HTML is case-insensitive when processed by web browsers, an attacker could inject “” and trigger XSS.