CVE-2024-8096 — MEDIUM (6.5)

Q: How severe is CVE-2024-8096?

CVE-2024-8096 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-8096?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility, Netapp Ontap Tools.

Vulnerability Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.41.0, < 8.10.0
Debian	Debian Linux	11.0
Netapp	Active Iq Unified Manager	-
Netapp	Ontap Select Deploy Administration Utility	-
Netapp	Ontap Tools	10
Netapp	Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-

Related Weaknesses (CWE)

CWE-295

References

https://curl.se/docs/CVE-2024-8096.htmlVendor Advisory
https://curl.se/docs/CVE-2024-8096.jsonVendor Advisory
https://hackerone.com/reports/2669852ExploitIssue TrackingThird Party Advisory
http://www.openwall.com/lists/oss-security/2024/09/11/1Mailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00008.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20241011-0005/Third Party Advisory

FAQ

What is CVE-2024-8096?

CVE-2024-8096 is a vulnerability with a CVSS score of 6.5 (MEDIUM). When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems an...

How severe is CVE-2024-8096?

CVE-2024-8096 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-8096?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Debian Debian Linux, Netapp Active Iq Unified Manager, Netapp Ontap Select Deploy Administration Utility, Netapp Ontap Tools.