// For flags

CVE-2024-9681

HSTS subdomain overwrites parent cache entry

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.

(The HSTS cache either needs to have been populated manually or there needs to
have been previous HTTPS accesses done as the cache needs to have entries for
the domains involved to trigger this problem.)

When `x.example.com` responds with `Strict-Transport-Security:` headers, this
bug can make the subdomain's expiry timeout *bleed over* and get set for the
parent domain `example.com` in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to `example.com` get
converted to HTTPS for a different period of time than what was asked for by
the origin server. If `example.com` for example stops supporting HTTPS at its
expiry time, curl might then fail to access `http://example.com` until the
(wrongly set) timeout expires. This bug can also expire the parent's entry
*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.

Cuando se le pide a curl que use HSTS, el tiempo de expiración de un subdominio puede sobrescribir la entrada de caché de un dominio principal, lo que hace que finalice antes o después de lo previsto. Esto afecta a curl que usa aplicaciones que habilitan HSTS y usan URL con el esquema inseguro `HTTP://` y realizan transferencias con hosts como `x.example.com` así como `example.com` donde el primer host es un subdominio del segundo host. (El caché HSTS debe haberse llenado manualmente o debe haber habido accesos HTTPS previos ya que el caché debe tener entradas para los dominios involucrados para activar este problema). Cuando `x.example.com` responde con encabezados `Strict-Transport-Security:`, este error puede hacer que el tiempo de expiración del subdominio *se extienda* y se configure para el dominio principal `example.com` en el caché HSTS de curl. El resultado de un error activado es que los accesos HTTP a `example.com` se convierten a HTTPS durante un período de tiempo diferente al solicitado por el servidor de origen. Si `example.com`, por ejemplo, deja de admitir HTTPS en su momento de vencimiento, curl podría entonces no poder acceder a `http://example.com` hasta que expire el tiempo de espera (configurado incorrectamente). Este error también puede hacer que la entrada principal expire *antes*, lo que hace que curl vuelva inadvertidamente a HTTP inseguro antes de lo previsto.

*Credits: newfunction, Daniel Stenberg
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-10-09 CVE Reserved
  • 2024-11-06 CVE Published
  • 2024-11-06 CVE Updated
  • 2024-11-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.10.1
Search vendor "Curl" for product "Curl" and version "8.10.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.10.0
Search vendor "Curl" for product "Curl" and version "8.10.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.9.1
Search vendor "Curl" for product "Curl" and version "8.9.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.9.0
Search vendor "Curl" for product "Curl" and version "8.9.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.8.0
Search vendor "Curl" for product "Curl" and version "8.8.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.7.1
Search vendor "Curl" for product "Curl" and version "8.7.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.7.0
Search vendor "Curl" for product "Curl" and version "8.7.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.6.0
Search vendor "Curl" for product "Curl" and version "8.6.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.5.0
Search vendor "Curl" for product "Curl" and version "8.5.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.4.0
Search vendor "Curl" for product "Curl" and version "8.4.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.3.0
Search vendor "Curl" for product "Curl" and version "8.3.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.2.1
Search vendor "Curl" for product "Curl" and version "8.2.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.2.0
Search vendor "Curl" for product "Curl" and version "8.2.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.1.2
Search vendor "Curl" for product "Curl" and version "8.1.2"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.1.1
Search vendor "Curl" for product "Curl" and version "8.1.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.1.0
Search vendor "Curl" for product "Curl" and version "8.1.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.0.1
Search vendor "Curl" for product "Curl" and version "8.0.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
8.0.0
Search vendor "Curl" for product "Curl" and version "8.0.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.88.1
Search vendor "Curl" for product "Curl" and version "7.88.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.88.0
Search vendor "Curl" for product "Curl" and version "7.88.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.87.0
Search vendor "Curl" for product "Curl" and version "7.87.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.86.0
Search vendor "Curl" for product "Curl" and version "7.86.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.85.0
Search vendor "Curl" for product "Curl" and version "7.85.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.84.0
Search vendor "Curl" for product "Curl" and version "7.84.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.83.1
Search vendor "Curl" for product "Curl" and version "7.83.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.83.0
Search vendor "Curl" for product "Curl" and version "7.83.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.82.0
Search vendor "Curl" for product "Curl" and version "7.82.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.81.0
Search vendor "Curl" for product "Curl" and version "7.81.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.80.0
Search vendor "Curl" for product "Curl" and version "7.80.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.79.1
Search vendor "Curl" for product "Curl" and version "7.79.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.79.0
Search vendor "Curl" for product "Curl" and version "7.79.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.78.0
Search vendor "Curl" for product "Curl" and version "7.78.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.77.0
Search vendor "Curl" for product "Curl" and version "7.77.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.76.1
Search vendor "Curl" for product "Curl" and version "7.76.1"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.76.0
Search vendor "Curl" for product "Curl" and version "7.76.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.75.0
Search vendor "Curl" for product "Curl" and version "7.75.0"
en
Affected
Curl
Search vendor "Curl"
Curl
Search vendor "Curl" for product "Curl"
7.74.0
Search vendor "Curl" for product "Curl" and version "7.74.0"
en
Affected