CVE-2024-2004

EUVD-2024-26974
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled.      curl --proto -all,-http http://curl.se  The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
Affected Products (NVD)
VendorProductVersion
haxxcurl
7.85.0 ≤
𝑥
< 8.7.0
applemacos
𝑥
< 12.7.6
applemacos
13.0 ≤
𝑥
< 13.6.8
applemacos
14.0 ≤
𝑥
< 14.6
netappontap_select_deploy_administration_utility
-
netappbootstrap_os
-
netapph300s_firmware
-
netapph410s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.6.0
CNA
curlcurl
𝑥
≤ 8.5.0
CNA
curlcurl
𝑥
≤ 8.4.0
CNA
curlcurl
𝑥
≤ 8.3.0
CNA
curlcurl
𝑥
≤ 8.2.1
CNA
curlcurl
𝑥
≤ 8.2.0
CNA
curlcurl
𝑥
≤ 8.1.2
CNA
curlcurl
𝑥
≤ 8.1.1
CNA
curlcurl
𝑥
≤ 8.1.0
CNA
curlcurl
𝑥
≤ 8.0.1
CNA
curlcurl
𝑥
≤ 8.0.0
CNA
curlcurl
𝑥
≤ 7.88.1
CNA
curlcurl
𝑥
≤ 7.88.0
CNA
curlcurl
𝑥
≤ 7.87.0
CNA
curlcurl
𝑥
≤ 7.86.0
CNA
curlcurl
𝑥
≤ 7.85.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u14
fixed
bookworm (security)
vulnerable
bullseye
7.74.0-1.3+deb11u13
not-affected
bullseye (security)
7.74.0-1.3+deb11u15
fixed
buster
not-affected
forky
8.18.0~rc2-1
fixed
sid
8.18.0~rc3-1
fixed
trixie
8.14.1-2+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
not-affected
jammy
not-affected
mantic
Fixed 8.2.1-1ubuntu3.3
released
noble
Fixed 8.5.0-2ubuntu10.1
released
trusty
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
curl
suse enterprise desktop 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
8.0.1-11.86.2
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
8.0.1-11.86.2
fixed
suse enterprise server 15 SP4
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl-devel
suse enterprise desktop 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 15 SP4
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl4
suse enterprise desktop 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
8.0.1-11.86.2
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
8.0.1-11.86.2
fixed
suse enterprise server 15 SP4
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
libcurl4-32bit
suse enterprise desktop 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise desktop 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise desktop 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise sap 12 SP5
8.0.1-11.86.2
fixed
suse enterprise sap 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise sap 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise sap 15 SP7
8.6.0-150600.4.21.1
fixed
suse enterprise server 12 SP5
8.0.1-11.86.2
fixed
suse enterprise server 15 SP4
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP5
8.0.1-150400.5.44.1
fixed
suse enterprise server 15 SP6
8.6.0-150600.2.2
fixed
suse enterprise server 15 SP7
8.6.0-150600.4.21.1
fixed
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/1
https://curl.se/docs/CVE-2024-2004.html
https://curl.se/docs/CVE-2024-2004.json
https://hackerone.com/reports/2384833
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://security.netapp.com/advisory/ntap-20240524-0006/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/1
https://curl.se/docs/CVE-2024-2004.html
https://curl.se/docs/CVE-2024-2004.json
https://hackerone.com/reports/2384833
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://security.netapp.com/advisory/ntap-20240524-0006/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120