CVE-2024-2379
MEDIUM severity · CVSS 6.3 · CWE-295
6.3CVSS MEDIUM
Summary
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)2%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://curl.se/docs/CVE-2024-2379.htmlAdvisory
- https://curl.se/docs/CVE-2024-2379.jsonAdvisory
- http://seclists.org/fulldisclosure/2024/Jul/18Advisory
- http://seclists.org/fulldisclosure/2024/Jul/19Advisory
- http://seclists.org/fulldisclosure/2024/Jul/20Advisory
- http://www.openwall.com/lists/oss-security/2024/03/27/2Advisory
- https://security.netapp.com/advisory/ntap-20240531-0001/Advisory
- https://hackerone.com/reports/2410774Advisory