CVE-2024-2398 — HIGH (8.6) — White Hats Nepal

Q: How severe is CVE-2024-2398?

CVE-2024-2398 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-2398?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Apple Macos, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility.

Vulnerability Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.44.0, < 8.7.0
Apple	Macos	< 12.7.6
Fedoraproject	Fedora	39
Netapp	Active Iq Unified Manager	-
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	Brocade Fabric Operating System	-
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H610C Firmware	-
Netapp	H610C	-
Netapp	H610S Firmware	-
Netapp	H610S	-
Netapp	H615C Firmware	-
Netapp	H615C	-

Related Weaknesses (CWE)

CWE-772

References

http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/3Mailing ListThird Party Advisory
https://curl.se/docs/CVE-2024-2398.htmlVendor Advisory
https://curl.se/docs/CVE-2024-2398.jsonVendor Advisory
https://hackerone.com/reports/2402845ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Third Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0009/Third Party Advisory
https://support.apple.com/kb/HT214118Release NotesVendor Advisory
https://support.apple.com/kb/HT214119Release NotesVendor Advisory
https://support.apple.com/kb/HT214120Release NotesVendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory

FAQ

What is CVE-2024-2398?

CVE-2024-2398 is a vulnerability with a CVSS score of 8.6 (HIGH). When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When...

How severe is CVE-2024-2398?

CVE-2024-2398 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-2398?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Apple Macos, Fedoraproject Fedora, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility.