CVSS: 5.9EPSS: 0%CPEs: 37EXPL: 0CVE-2024-9681 – HSTS subdomain overwrites parent cache entry
https://notcve.org/view.php?id=CVE-2024-9681
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended. Cuando se le pide a curl que use HSTS, el tiempo de expiración de un subdominio puede sobrescribir la entrada de caché de un dominio principal, lo que hace que finalice antes o después de lo previsto. Esto afecta a curl que usa aplicaciones que habilitan HSTS y usan URL con el esquema inseguro `HTTP://` y realizan transferencias con hosts como `x.example.com` así como `example.com` donde el primer host es un subdominio del segundo host. • https://curl.se/docs/CVE-2024-9681.html https://curl.se/docs/CVE-2024-9681.json https://hackerone.com/reports/2764830 •
CVSS: 6.5EPSS: 0%CPEs: 86EXPL: 0CVE-2024-8096 – OCSP stapling bypass with GnuTLS
https://notcve.org/view.php?id=CVE-2024-8096
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate. • https://curl.se/docs/CVE-2024-8096.json https://curl.se/docs/CVE-2024-8096.html https://hackerone.com/reports/2669852 • CWE-295: Improper Certificate Validation •
CVSS: 6.3EPSS: 0%CPEs: 95EXPL: 0CVE-2024-7264 – ASN.1 date parser overread
https://notcve.org/view.php?id=CVE-2024-7264
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. A flaw was found in libcurl, where libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If a syntactically incorrect field is given, the parser can use -1 for the length of the *time fraction*, leading to a `strlen()` performed on a pointer to a heap buffer area that is not purposely NULL terminated. • https://curl.se/docs/CVE-2024-7264.html https://curl.se/docs/CVE-2024-7264.json https://hackerone.com/reports/2629968 http://www.openwall.com/lists/oss-security/2024/07/31/1 https://access.redhat.com/security/cve/CVE-2024-7264 https://bugzilla.redhat.com/show_bug.cgi?id=2301888 • CWE-125: Out-of-bounds Read •
CVSS: 8.6EPSS: 0%CPEs: 77EXPL: 0CVE-2024-2398 – HTTP/2 push headers memory-leak
https://notcve.org/view.php?id=CVE-2024-2398
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. Cuando una aplicación le dice a libcurl que quiere permitir la inserción del servidor HTTP/2 y la cantidad de encabezados recibidos para la inserción supera el límite máximo permitido (1000), libcurl cancela la inserción del servidor. Al cancelar, libcurl inadvertidamente no libera todos los encabezados previamente asignados y, en cambio, pierde memoria. • http://www.openwall.com/lists/oss-security/2024/03/27/3 https://curl.se/docs/CVE-2024-2398.html https://curl.se/docs/CVE-2024-2398.json https://hackerone.com/reports/2402845 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI https://security.netapp.com/advisory/ntap-20240503-0009 https://support.apple.com/kb& • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 16EXPL: 0CVE-2024-2004 – Usage of disabled protocol
https://notcve.org/view.php?id=CVE-2024-2004
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug. Cuando una opción de parámetro de selección de protocolo deshabilita todos los protocolos sin agregar ninguno, el conjunto predeterminado de protocolos permanecería en el conjunto permitido debido a un error en la lógica para eliminar protocolos. • http://www.openwall.com/lists/oss-security/2024/03/27/1 https://curl.se/docs/CVE-2024-2004.html https://curl.se/docs/CVE-2024-2004.json https://hackerone.com/reports/2384833 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI https://security.netapp.com/advisory/ntap-20240524-0006 https://support.apple.com/kb& • CWE-115: Misinterpretation of Input CWE-436: Interpretation Conflict •