{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-2379", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-03-11T14:39:01.543Z", "datePublished": "2024-03-27T07:56:41.158Z", "dateUpdated": "2025-02-13T17:39:51.599Z"}, "containers": {"cna": {"title": "QUIC certificate check bypass with wolfSSL", "descriptions": [{"lang": "en", "value": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-29T22:06:15.682Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-2379.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-2379.html", "name": "www"}, {"url": "https://hackerone.com/reports/2410774", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240531-0001/"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "https://support.apple.com/kb/HT214118"}, {"url": "https://support.apple.com/kb/HT214120"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19"}], "credits": [{"lang": "en", "value": "Dexter Gerig", "type": "finder"}, {"lang": "en", "value": "Daniel Stenberg", "type": "remediation developer"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.464Z"}, "title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-2379.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-2379.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2410774", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240531-0001/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214118", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214120", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-19T17:42:40.991655Z", "id": "CVE-2024-2379", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T19:51:37.916Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-2379.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-2379.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2410774", "name": "issue", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240531-0001/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214118", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214120", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.464Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-2379", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-19T17:42:40.991655Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T17:42:46.091Z"}}], "cna": {"title": "QUIC certificate check bypass with wolfSSL", "credits": [{"lang": "en", "type": "finder", "value": "Dexter Gerig"}, {"lang": "en", "type": "remediation developer", "value": "Daniel Stenberg"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-2379.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-2379.html", "name": "www"}, {"url": "https://hackerone.com/reports/2410774", "name": "issue"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240531-0001/"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "https://support.apple.com/kb/HT214118"}, {"url": "https://support.apple.com/kb/HT214120"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19"}], "descriptions": [{"lang": "en", "value": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-29T22:06:15.682Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2379", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:39:51.599Z", "dateReserved": "2024-03-11T14:39:01.543Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2024-03-27T07:56:41.158Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems."}, {"lang": "es", "value": "libcurl omite la verificaci\u00f3n del certificado para una conexi\u00f3n QUIC bajo ciertas condiciones, cuando est\u00e1 dise\u00f1ado para usar wolfSSL. Si se le indica que utilice un cifrado o curva desconocido/incorrecto, la ruta de error omite accidentalmente la verificaci\u00f3n y devuelve OK, ignorando as\u00ed cualquier problema de certificado."}], "id": "CVE-2024-2379", "lastModified": "2024-11-21T09:09:37.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-27T08:15:41.230", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/19"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://www.openwall.com/lists/oss-security/2024/03/27/2"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2024-2379.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2024-2379.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://hackerone.com/reports/2410774"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://security.netapp.com/advisory/ntap-20240531-0001/"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214118"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214119"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214120"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/27/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://curl.se/docs/CVE-2024-2379.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://curl.se/docs/CVE-2024-2379.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2410774"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240531-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214118"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214120"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:8.7.1-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.7.1-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2694", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "Text-Only JBCS", "release_date": "2024-05-07T00:00:00Z"}], "bugzilla": {"description": "curl: QUIC certificate check bypass with wolfSSL", "id": "2270499", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270499"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.", "A flaw was found in curl. When libcurl is built to use wolfSSL as the TLS backend, it skips certificate verification for a QUIC connection if an unknown/bad cipher or curve is used."], "name": "CVE-2024-2379", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "httpd24-curl", "product_name": "Red Hat Software Collections"}], "public_date": "2024-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-2379\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2379\nhttps://curl.se/docs/CVE-2024-2379.html"], "statement": "The curl package as shipped by Red Hat Enterprise Linux and RHSCL is not affected by this vulnerability because it does not have support for wolfSSL.", "threat_severity": "Low", "upstream_fix": "curl 8.7.0"}