CVE-2024-2379

libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
curlCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
haxxcurl
8.6.0
applemacos
𝑥
< 12.7.6
applemacos
13.0 ≤
𝑥
< 13.6.8
applemacos
14.0 ≤
𝑥
< 14.6
netappactive_iq_unified_manager
-
netappontap_select_deploy_administration_utility
-
netapph300s_firmware
-
netapph410s_firmware
-
netapph500s_firmware
-
netapph610c_firmware
-
netapph610s_firmware
-
netapph615c_firmware
-
netapph700s_firmware
-
netappbootstrap_os
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
unimportant
bullseye (security)
unimportant
bookworm
unimportant
bookworm (security)
unimportant
trixie
8.14.1-2
fixed
forky
8.15.0-1
fixed
sid
8.16.0~rc2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
noble
not-affected
mantic
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/2
https://curl.se/docs/CVE-2024-2379.html
https://curl.se/docs/CVE-2024-2379.json
https://hackerone.com/reports/2410774
https://security.netapp.com/advisory/ntap-20240531-0001/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/2
https://curl.se/docs/CVE-2024-2379.html
https://curl.se/docs/CVE-2024-2379.json
https://hackerone.com/reports/2410774
https://security.netapp.com/advisory/ntap-20240531-0001/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120