CVE-2024-8096

MEDIUM

curl - Info Disclosure

Title source: llm

Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

References (6)

[Vendor Advisory] https://curl.se/docs/CVE-2024-8096.html

[Vendor Advisory] https://curl.se/docs/CVE-2024-8096.json

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/2669852

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/09/11/1

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20241011-0005/

Scores

CVSS v3 6.5

EPSS 0.0052

EPSS Percentile 66.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-295

Status published

Affected Products (10)

haxx/curl < 8.10.0

debian/debian_linux

netapp/active_iq_unified_manager

netapp/ontap_select_deploy_administration_utility

netapp/ontap_tools

netapp/bootstrap_os

netapp/h300s_firmware

netapp/h410s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

Timeline

Published Sep 11, 2024

Tracked Since Feb 18, 2026