CVE-2024-2466

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-2466
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/4
https://curl.se/docs/CVE-2024-2466.html
https://curl.se/docs/CVE-2024-2466.json
https://hackerone.com/reports/2416725
https://security.netapp.com/advisory/ntap-20240503-0010/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/4
https://curl.se/docs/CVE-2024-2466.html
https://curl.se/docs/CVE-2024-2466.json
https://hackerone.com/reports/2416725
https://security.netapp.com/advisory/ntap-20240503-0010/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468
Configurations

No configuration.

History

21 Nov 2024, 09:09

Type Values Removed Values Added
References
  • () https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468 -
References () http://seclists.org/fulldisclosure/2024/Jul/18 - () http://seclists.org/fulldisclosure/2024/Jul/18 -
References () http://seclists.org/fulldisclosure/2024/Jul/19 - () http://seclists.org/fulldisclosure/2024/Jul/19 -
References () http://seclists.org/fulldisclosure/2024/Jul/20 - () http://seclists.org/fulldisclosure/2024/Jul/20 -
References () http://www.openwall.com/lists/oss-security/2024/03/27/4 - () http://www.openwall.com/lists/oss-security/2024/03/27/4 -
References () https://curl.se/docs/CVE-2024-2466.html - () https://curl.se/docs/CVE-2024-2466.html -
References () https://curl.se/docs/CVE-2024-2466.json - () https://curl.se/docs/CVE-2024-2466.json -
References () https://hackerone.com/reports/2416725 - () https://hackerone.com/reports/2416725 -
References () https://security.netapp.com/advisory/ntap-20240503-0010/ - () https://security.netapp.com/advisory/ntap-20240503-0010/ -
References () https://support.apple.com/kb/HT214118 - () https://support.apple.com/kb/HT214118 -
References () https://support.apple.com/kb/HT214119 - () https://support.apple.com/kb/HT214119 -
References () https://support.apple.com/kb/HT214120 - () https://support.apple.com/kb/HT214120 -

23 Aug 2024, 19:35

Type Values Removed Values Added
CWE CWE-297
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5

30 Jul 2024, 02:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jul/18 -
  • () http://seclists.org/fulldisclosure/2024/Jul/19 -

30 Jul 2024, 01:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Jul/20 -

29 Jul 2024, 22:15

Type Values Removed Values Added
References
  • () https://support.apple.com/kb/HT214118 -
  • () https://support.apple.com/kb/HT214119 -
  • () https://support.apple.com/kb/HT214120 -

03 May 2024, 13:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240503-0010/ -

01 May 2024, 17:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/03/27/4 -

27 Mar 2024, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-27 08:15

Updated : 2024-11-21 09:09

NVD link : CVE-2024-2466

Mitre link : CVE-2024-2466

CVE.ORG link : CVE-2024-2466

JSON object : View

Products Affected

No product.

CWE
CWE-297

Improper Validation of Certificate with Host Mismatch