CVE-2024-2466 — MEDIUM (6.5)

Q: How severe is CVE-2024-2466?

CVE-2024-2466 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-2466?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Apple Macos, Netapp H700S Firmware, Netapp H700S, Netapp Bootstrap Os.

Vulnerability Description

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 8.5.0, < 8.7.0
Apple	Macos	< 12.7.6
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H500S Firmware	-
Netapp	H500S	-

Related Weaknesses (CWE)

CWE-297

References

http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/4Mailing ListThird Party Advisory
https://curl.se/docs/CVE-2024-2466.htmlVendor Advisory
https://curl.se/docs/CVE-2024-2466.jsonVendor Advisory
https://hackerone.com/reports/2416725ExploitIssue TrackingThird Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0010/Third Party Advisory
https://support.apple.com/kb/HT214118Release NotesVendor Advisory
https://support.apple.com/kb/HT214119Release NotesVendor Advisory
https://support.apple.com/kb/HT214120Release NotesVendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/18Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/4Mailing ListThird Party Advisory

FAQ

What is CVE-2024-2466?

CVE-2024-2466 is a vulnerability with a CVSS score of 6.5 (MEDIUM). libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when ...

How severe is CVE-2024-2466?

CVE-2024-2466 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-2466?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Apple Macos, Netapp H700S Firmware, Netapp H700S, Netapp Bootstrap Os.