CVE-2024-2379
MEDIUM | Platform: macOS | Changelog
CVE Details
Description
libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.
CVSS 3.1 Score
| Metric | Value |
|---|---|
| Base Score | 6.3 (MEDIUM) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
Weakness
References
- Apple Security Advisory
- NVD Entry
- http://seclists.org/fulldisclosure/2024/Jul/18 (Mailing List, Third Party Advisory)
- http://seclists.org/fulldisclosure/2024/Jul/19 (Mailing List, Third Party Advisory)
- http://seclists.org/fulldisclosure/2024/Jul/20 (Mailing List, Third Party Advisory)
- http://www.openwall.com/lists/oss-security/2024/03/27/2 (Mailing List, Third Party Advisory)
- https://curl.se/docs/CVE-2024-2379.html (Vendor Advisory)
- https://curl.se/docs/CVE-2024-2379.json (Vendor Advisory)
- https://hackerone.com/reports/2410774 (Exploit, Issue Tracking, Third Party Advisory)
- https://security.netapp.com/advisory/ntap-20240531-0001/ (Third Party Advisory)