CVE-2024-2004 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2024-2004?

CVE-2024-2004 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-2004?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Apple Macos, Netapp Ontap, Netapp Ontap Select Deploy Administration Utility.

Vulnerability Description

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.85.0, < 8.7.0
Fedoraproject	Fedora	39
Apple	Macos	< 12.7.6
Netapp	Ontap	9
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-

Related Weaknesses (CWE)

CWE-436

References

http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/1Mailing ListThird Party Advisory
https://curl.se/docs/CVE-2024-2004.htmlVendor Advisory
https://curl.se/docs/CVE-2024-2004.jsonVendor Advisory
https://hackerone.com/reports/2384833ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://security.netapp.com/advisory/ntap-20240524-0006/Third Party Advisory
https://support.apple.com/kb/HT214118Release NotesVendor Advisory
https://support.apple.com/kb/HT214119Release NotesVendor Advisory
https://support.apple.com/kb/HT214120Release NotesVendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory

FAQ

What is CVE-2024-2004?

CVE-2024-2004 is a vulnerability with a CVSS score of 3.5 (LOW). When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protoco...

How severe is CVE-2024-2004?

CVE-2024-2004 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-2004?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Apple Macos, Netapp Ontap, Netapp Ontap Select Deploy Administration Utility.