6.5

CVE-2024-2466

Exploit

TLS certificate check bypass with mbedTLS

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS.  libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaxxCurl Version >= 8.5.0 < 8.7.0
ApplemacOS Version < 12.7.6
ApplemacOS Version >= 13.0 < 13.6.8
ApplemacOS Version >= 14.0 < 14.6
NetappH700s Firmware Version-
   NetappH700s Version-
NetappBootstrap Os Version-
   NetappHci Compute Node Version-
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.3% 0.667
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-297 Improper Validation of Certificate with Host Mismatch

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

http://www.openwall.com/lists/oss-security/2024/03/27/4
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2024/Jul/18
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT214119
Vendor Advisory
Release Notes
http://seclists.org/fulldisclosure/2024/Jul/19
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2024/Jul/20
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT214118
Vendor Advisory
Release Notes
https://support.apple.com/kb/HT214120
Vendor Advisory
Release Notes
https://curl.se/docs/CVE-2024-2466.html
Vendor Advisory
https://curl.se/docs/CVE-2024-2466.json
Vendor Advisory
https://hackerone.com/reports/2416725
Third Party Advisory
Exploit
Issue Tracking
https://security.netapp.com/advisory/ntap-20240503-0010/
Third Party Advisory
https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468
Third Party Advisory
Exploit
Mitigation