CURL-CVE-2024-2004

Source

https://curl.se/docs/CVE-2024-2004.html

Import Source

https://curl.se/docs/CURL-CVE-2024-2004.json

Aliases

CVE-2024-2004

Published

2024-03-27T08:00:00Z

Modified

2024-03-27T07:12:10.551612Z

Summary

Usage of disabled protocol

Details

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled.

curl --proto -all,-http http://curl.se

The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

References

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.85.0

Fixed

8.7.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e6f8445edef8e7996d1cfb141d6df184efef972c

Fixed

17d302e56221f5040092db77d4f85086e8a20e0e

Affected versions

7.*

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0