CVE-2024-34402: 
CBL Mariner vulnerability analysis and mitigation

An integer overflow vulnerability (CVE-2024-34402) was discovered in uriparser through version 0.9.7. The vulnerability exists in the ComposeQueryEngine function within UriQuery.c, where an integer overflow can occur via long keys or values, potentially leading to a buffer overflow (NVD, MITRE).

The vulnerability occurs in the ComposeQueryEngine function of UriQuery.c where the calculation of required space for query string composition can result in an integer overflow when handling sufficiently large keys or values. The issue involves calculations using worstCase multiplier that could overflow when key or value lengths approach INT_MAX (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H (NVD).

The vulnerability could allow attackers to cause denial of service conditions or potentially execute arbitrary code through specially crafted input. The integer overflow can lead to incorrect memory allocations and subsequent buffer overflow conditions (GitHub Issue).

The vulnerability has been fixed in uriparser version 0.9.8. Users are advised to upgrade to this version which includes protection against integer overflow in ComposeQueryEngine (OSS Security). Various Linux distributions including Fedora have released security updates to address this vulnerability (Fedora Update).