CVE-2024-2398

HIGH

Haxx Curl < 8.7.0 - Resource Leak

Title source: rule

Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

References (13)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Jul/18

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Jul/19

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Jul/20

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/03/27/3

[Vendor Advisory] https://curl.se/docs/CVE-2024-2398.html

[Vendor Advisory] https://curl.se/docs/CVE-2024-2398.json

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/2402845

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240503-0009/

[Release Notes, Vendor Advisory] https://support.apple.com/kb/HT214118

[Release Notes, Vendor Advisory] https://support.apple.com/kb/HT214119

[Release Notes, Vendor Advisory] https://support.apple.com/kb/HT214120

Scores

CVSS v3 8.6

EPSS 0.0196

EPSS Percentile 83.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Classification

CWE

CWE-772

Status published

Affected Products (15)

haxx/curl < 8.7.0

apple/macos < 12.7.6

fedoraproject/fedora

fedoraproject/fedora

netapp/active_iq_unified_manager

netapp/ontap_select_deploy_administration_utility

netapp/brocade_fabric_operating_system

netapp/bootstrap_os

netapp/h300s_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h610c_firmware

netapp/h610s_firmware

netapp/h615c_firmware

netapp/h700s_firmware

Timeline

Published Mar 27, 2024

Tracked Since Feb 18, 2026