CVE-2024-9681
HSTS subdomain overwrites parent cache entry
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.
This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.
(The HSTS cache either needs to have been populated manually or there needs to
have been previous HTTPS accesses done as the cache needs to have entries for
the domains involved to trigger this problem.)
When `x.example.com` responds with `Strict-Transport-Security:` headers, this
bug can make the subdomain's expiry timeout *bleed over* and get set for the
parent domain `example.com` in curl's HSTS cache.
The result of a triggered bug is that HTTP accesses to `example.com` get
converted to HTTPS for a different period of time than what was asked for by
the origin server. If `example.com` for example stops supporting HTTPS at its
expiry time, curl might then fail to access `http://example.com` until the
(wrongly set) timeout expires. This bug can also expire the parent's entry
*earlier*, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.
Cuando se le pide a curl que use HSTS, el tiempo de expiración de un subdominio puede sobrescribir la entrada de caché de un dominio principal, lo que hace que finalice antes o después de lo previsto. Esto afecta a curl que usa aplicaciones que habilitan HSTS y usan URL con el esquema inseguro `HTTP://` y realizan transferencias con hosts como `x.example.com` así como `example.com` donde el primer host es un subdominio del segundo host. (El caché HSTS debe haberse llenado manualmente o debe haber habido accesos HTTPS previos ya que el caché debe tener entradas para los dominios involucrados para activar este problema). Cuando `x.example.com` responde con encabezados `Strict-Transport-Security:`, este error puede hacer que el tiempo de expiración del subdominio *se extienda* y se configure para el dominio principal `example.com` en el caché HSTS de curl. El resultado de un error activado es que los accesos HTTP a `example.com` se convierten a HTTPS durante un período de tiempo diferente al solicitado por el servidor de origen. Si `example.com`, por ejemplo, deja de admitir HTTPS en su momento de vencimiento, curl podría entonces no poder acceder a `http://example.com` hasta que expire el tiempo de espera (configurado incorrectamente). Este error también puede hacer que la entrada principal expire *antes*, lo que hace que curl vuelva inadvertidamente a HTTP inseguro antes de lo previsto.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-10-09 CVE Reserved
- 2024-11-06 CVE Published
- 2024-11-06 CVE Updated
- 2024-11-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://curl.se/docs/CVE-2024-9681.html | ||
https://curl.se/docs/CVE-2024-9681.json | ||
https://hackerone.com/reports/2764830 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.10.1 Search vendor "Curl" for product "Curl" and version "8.10.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.10.0 Search vendor "Curl" for product "Curl" and version "8.10.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.9.1 Search vendor "Curl" for product "Curl" and version "8.9.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.9.0 Search vendor "Curl" for product "Curl" and version "8.9.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.8.0 Search vendor "Curl" for product "Curl" and version "8.8.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.7.1 Search vendor "Curl" for product "Curl" and version "8.7.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.7.0 Search vendor "Curl" for product "Curl" and version "8.7.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.6.0 Search vendor "Curl" for product "Curl" and version "8.6.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.5.0 Search vendor "Curl" for product "Curl" and version "8.5.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.4.0 Search vendor "Curl" for product "Curl" and version "8.4.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.3.0 Search vendor "Curl" for product "Curl" and version "8.3.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.2.1 Search vendor "Curl" for product "Curl" and version "8.2.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.2.0 Search vendor "Curl" for product "Curl" and version "8.2.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.1.2 Search vendor "Curl" for product "Curl" and version "8.1.2" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.1.1 Search vendor "Curl" for product "Curl" and version "8.1.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.1.0 Search vendor "Curl" for product "Curl" and version "8.1.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.0.1 Search vendor "Curl" for product "Curl" and version "8.0.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 8.0.0 Search vendor "Curl" for product "Curl" and version "8.0.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.88.1 Search vendor "Curl" for product "Curl" and version "7.88.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.88.0 Search vendor "Curl" for product "Curl" and version "7.88.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.87.0 Search vendor "Curl" for product "Curl" and version "7.87.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.86.0 Search vendor "Curl" for product "Curl" and version "7.86.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.85.0 Search vendor "Curl" for product "Curl" and version "7.85.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.84.0 Search vendor "Curl" for product "Curl" and version "7.84.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.83.1 Search vendor "Curl" for product "Curl" and version "7.83.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.83.0 Search vendor "Curl" for product "Curl" and version "7.83.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.82.0 Search vendor "Curl" for product "Curl" and version "7.82.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.81.0 Search vendor "Curl" for product "Curl" and version "7.81.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.80.0 Search vendor "Curl" for product "Curl" and version "7.80.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.79.1 Search vendor "Curl" for product "Curl" and version "7.79.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.79.0 Search vendor "Curl" for product "Curl" and version "7.79.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.78.0 Search vendor "Curl" for product "Curl" and version "7.78.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.77.0 Search vendor "Curl" for product "Curl" and version "7.77.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.76.1 Search vendor "Curl" for product "Curl" and version "7.76.1" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.76.0 Search vendor "Curl" for product "Curl" and version "7.76.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.75.0 Search vendor "Curl" for product "Curl" and version "7.75.0" | en |
Affected
| ||||||
Curl Search vendor "Curl" | Curl Search vendor "Curl" for product "Curl" | 7.74.0 Search vendor "Curl" for product "Curl" and version "7.74.0" | en |
Affected
|