VIR Vulnerability Intelligence Relay

CVE-2024-2398

medium
Published 2024-08-19 ยท Modified 2024-08-20
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.5

Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2024-2398 NameCVE-2024-2398 DescriptionWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition failsโ€ฆ

CVE-2024-2398

NameCVE-2024-2398
DescriptionWhen an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u16fixed
bookworm7.88.1-10+deb12u14fixed
bookworm (security)7.88.1-10+deb12u5vulnerable
trixie8.14.1-2+deb13u3fixed
forky8.20.0-2fixed
sid8.20.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebullseye7.74.0-1.3+deb11u12
curlsourcebookworm7.88.1-10+deb12u6
curlsource(unstable)8.7.1-1

Notes

[buster] - curl <postponed> (Minor issue; can be fixed in next update)
https://curl.se/docs/CVE-2024-2398.html
Introduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0)
Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
[buster] - curl <postponed> (Minor issue; can be fixed in next update)https://curl.se/docs/CVE-2024-2398.htmlIntroduced by: https://github.com/curl/curl/commit/ea7134ac874a66107e54ff93657ac565cf2ec4aa (curl-7_44_0)Fixed by: https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764 (curl-8_7_0)

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 8.7.1-1
sid Fixed 8.7.1-1
forky Fixed 8.7.1-1
bullseye Fixed 7.74.0-1.3+deb11u12
bookworm Fixed 7.88.1-10+deb12u6
redhat Red Hat Fixed 2 releases
VersionStatusFixed in
9 Fixed โ€”
8 Fixed โ€”
rockylinux Rocky Linux Fixed 1 release
VersionStatusFixed in
8 Fixed โ€”

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.