CVE-2024-2379
QUIC certificate check bypass with wolfSSL
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
libcurl omite la verificación del certificado para una conexión QUIC bajo ciertas condiciones, cuando está diseñado para usar wolfSSL. Si se le indica que utilice un cifrado o curva desconocido/incorrecto, la ruta de error omite accidentalmente la verificación y devuelve OK, ignorando así cualquier problema de certificado.
A flaw was found in curl. When libcurl is built to use wolfSSL as the TLS backend, it skips certificate verification for a QUIC connection if an unknown/bad cipher or curve is used.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-11 CVE Reserved
- 2024-03-27 CVE Published
- 2024-07-30 EPSS Updated
- 2024-11-14 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (13)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-2379 | 2024-05-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2270499 | 2024-05-07 |