CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.  Further, this error condition fails silently and is therefore not easily detected by an application.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
curlCNA
---
---
CISA-ADPADP
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
haxxcurl
7.44.0 ≤
𝑥
< 8.7.0
applemacos
𝑥
< 12.7.6
applemacos
13.0 ≤
𝑥
< 13.6.8
applemacos
14.0 ≤
𝑥
< 14.6
netappactive_iq_unified_manager
-
netappontap_select_deploy_administration_utility
-
netappbrocade_fabric_operating_system
-
netappbootstrap_os
-
netapph300s_firmware
-
netapph410s_firmware
-
netapph500s_firmware
-
netapph610c_firmware
-
netapph610s_firmware
-
netapph615c_firmware
-
netapph700s_firmware
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
buster
postponed
bullseye (security)
7.74.0-1.3+deb11u15
fixed
bookworm
7.88.1-10+deb12u12
fixed
bookworm (security)
vulnerable
trixie
8.14.1-2
fixed
forky
8.15.0-1
fixed
sid
8.16.0~rc2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
plucky
Fixed 8.5.0-2ubuntu10.1
released
oracular
Fixed 8.5.0-2ubuntu10.1
released
noble
Fixed 8.5.0-2ubuntu10.1
released
mantic
Fixed 8.2.1-1ubuntu3.3
released
jammy
Fixed 7.81.0-1ubuntu1.16
released
focal
Fixed 7.68.0-1ubuntu2.22
released
bionic
Fixed 7.58.0-2ubuntu3.24+esm4
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm12
released
trusty
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/3
https://curl.se/docs/CVE-2024-2398.html
https://curl.se/docs/CVE-2024-2398.json
https://hackerone.com/reports/2402845
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://security.netapp.com/advisory/ntap-20240503-0009/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/3
https://curl.se/docs/CVE-2024-2398.html
https://curl.se/docs/CVE-2024-2398.json
https://hackerone.com/reports/2402845
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://security.netapp.com/advisory/ntap-20240503-0009/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120