CVE-2024-8096

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-8096
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://curl.se/docs/CVE-2024-8096.html Vendor Advisory
https://curl.se/docs/CVE-2024-8096.json Vendor Advisory
https://hackerone.com/reports/2669852 Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/09/11/1 Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20241011-0005/ Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
History

30 Jul 2025, 19:42

Type Values Removed Values Added
References () https://curl.se/docs/CVE-2024-8096.html - () https://curl.se/docs/CVE-2024-8096.html - Vendor Advisory
References () https://curl.se/docs/CVE-2024-8096.json - () https://curl.se/docs/CVE-2024-8096.json - Vendor Advisory
References () https://hackerone.com/reports/2669852 - () https://hackerone.com/reports/2669852 - Exploit, Issue Tracking, Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2024/09/11/1 - () http://www.openwall.com/lists/oss-security/2024/09/11/1 - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html - () https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html - Mailing List, Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20241011-0005/ - () https://security.netapp.com/advisory/ntap-20241011-0005/ - Third Party Advisory
CPE cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
First Time Netapp h500s Firmware
Netapp
Debian
Netapp h410s Firmware
Netapp hci Compute Node
Netapp h700s Firmware
Haxx curl
Netapp h700s
Netapp h500s
Debian debian Linux
Netapp ontap Tools
Netapp h300s
Netapp h300s Firmware
Netapp h410s
Haxx
Netapp active Iq Unified Manager
Netapp ontap Select Deploy Administration Utility
Netapp bootstrap Os

21 Nov 2024, 09:52

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/09/11/1 -
  • () https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html -
  • () https://security.netapp.com/advisory/ntap-20241011-0005/ -

11 Sep 2024, 14:35

Type Values Removed Values Added
CWE CWE-295
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary
  • (es) Cuando se le indica a curl que utilice la extensión TLS de solicitud de estado de certificado, a menudo denominada como grapado OCSP, para verificar que el certificado del servidor es válido, es posible que no detecte algunos problemas de OCSP y, en cambio, considere erróneamente que la respuesta es correcta. Si el estado devuelto informa un error distinto de "revocado" (como, por ejemplo, "no autorizado"), no se trata como un certificado incorrecto.

11 Sep 2024, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-11 10:15

Updated : 2025-07-30 19:42

NVD link : CVE-2024-8096

Mitre link : CVE-2024-8096

CVE.ORG link : CVE-2024-8096

JSON object : View

Products Affected

haxx

  • curl

netapp

  • h500s_firmware
  • h410s_firmware
  • h700s_firmware
  • bootstrap_os
  • h700s
  • h410s
  • h500s
  • active_iq_unified_manager
  • ontap_tools
  • h300s
  • h300s_firmware
  • hci_compute_node
  • ontap_select_deploy_administration_utility

debian

  • debian_linux
CWE
CWE-295

Improper Certificate Validation