8.6

CVE-2024-2398

Exploit

HTTP/2 push headers memory-leak

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.  Further, this error condition fails silently and is therefore not easily detected by an application.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaxxCurl Version >= 7.44.0 < 8.7.0
ApplemacOS Version < 12.7.6
ApplemacOS Version >= 13.0 < 13.6.8
ApplemacOS Version >= 14.0 < 14.6
FedoraprojectFedora Version39
FedoraprojectFedora Version40
NetappActive Iq Unified Manager Version- SwPlatformvmware_vsphere
NetappBootstrap Os Version-
   NetappHci Compute Node Version-
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH610c Firmware Version-
   NetappH610c Version-
NetappH610s Firmware Version-
   NetappH610s Version-
NetappH615c Firmware Version-
   NetappH615c Version-
NetappH700s Firmware Version-
   NetappH700s Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 36.08% 0.983
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.6 3.9 4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

http://seclists.org/fulldisclosure/2024/Jul/18
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT214119
Vendor Advisory
Release Notes
http://seclists.org/fulldisclosure/2024/Jul/19
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2024/Jul/20
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT214118
Vendor Advisory
Release Notes
https://support.apple.com/kb/HT214120
Vendor Advisory
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/03/27/3
Third Party Advisory
Mailing List
https://curl.se/docs/CVE-2024-2398.html
Vendor Advisory
https://curl.se/docs/CVE-2024-2398.json
Vendor Advisory
https://hackerone.com/reports/2402845
Third Party Advisory
Exploit
Issue Tracking
https://security.netapp.com/advisory/ntap-20240503-0009/
Third Party Advisory