CVSS: 6.5EPSS: 0%CPEs: 86EXPL: 0CVE-2024-8096 – OCSP stapling bypass with GnuTLS
https://notcve.org/view.php?id=CVE-2024-8096
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. • https://curl.se/docs/CVE-2024-8096.json https://curl.se/docs/CVE-2024-8096.html https://hackerone.com/reports/2669852 • CWE-295: Improper Certificate Validation •
CVSS: -EPSS: 0%CPEs: 95EXPL: 0CVE-2024-7264 – ASN.1 date parser overread
https://notcve.org/view.php?id=CVE-2024-7264
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. • https://curl.se/docs/CVE-2024-7264.html https://curl.se/docs/CVE-2024-7264.json https://hackerone.com/reports/2629968 http://www.openwall.com/lists/oss-security/2024/07/31/1 •
CVSS: 8.6EPSS: 0%CPEs: 77EXPL: 0CVE-2024-2398 – HTTP/2 push headers memory-leak
https://notcve.org/view.php?id=CVE-2024-2398
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. Cuando una aplicación le dice a libcurl que quiere permitir la inserción del servidor HTTP/2 y la cantidad de encabezados recibidos para la inserción supera el límite máximo permitido (1000), libcurl cancela la inserción del servidor. Al cancelar, libcurl inadvertidamente no libera todos los encabezados previamente asignados y, en cambio, pierde memoria. • http://www.openwall.com/lists/oss-security/2024/03/27/3 https://curl.se/docs/CVE-2024-2398.html https://curl.se/docs/CVE-2024-2398.json https://hackerone.com/reports/2402845 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI https://security.netapp.com/advisory/ntap-20240503-0009 https://support.apple.com/kb& • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-46218 – curl: information disclosure by exploiting a mixed case flaw
https://notcve.org/view.php?id=CVE-2023-46218
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. Esta falla permite que un servidor HTTP malicioso establezca "supercookies" en curl que luego se devuelven a más orígenes de los que están permitidos o son posibles. Esto permite que un sitio establezca cookies que luego se enviarán a sitios y dominios diferentes y no relacionados. • https://curl.se/docs/CVE-2023-46218.html https://hackerone.com/reports/2212193 https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD https://security.netapp.com/advisory/ntap-20240125-0007 https://www.debian.org/security/2023/dsa-5587 https://access.redhat • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 5.9EPSS: 0%CPEs: 14EXPL: 1CVE-2023-28320
https://notcve.org/view.php?id=CVE-2023-28320
A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. • http://seclists.org/fulldisclosure/2023/Jul/47 http://seclists.org/fulldisclosure/2023/Jul/48 http://seclists.org/fulldisclosure/2023/Jul/52 https://hackerone.com/reports/1929597 https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230609-0009 https://support.apple.com/kb/HT213843 https://support.apple.com/kb/HT213844 https://support.apple.com/kb/HT213845 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-400: Uncontrolled Resource Consumption •