When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

redhat_unpatched curl: curl: Unpatched vulnerabilities

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2693 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to     use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the     verification and returns OK, thus ignoring any certificate problems. (CVE-2024-2379)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

  - libcurl did not check the server certificate of TLS connections done to a host specified as an IP address,     when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified     hostname was given as an IP address, therefore completely skipping the certificate check. This affects all     uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). (CVE-2024-2466)

  - HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an     informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
    (CVE-2024-27316)

  - nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior     to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is     reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2     v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream.
    There is no workaround for this vulnerability. (CVE-2024-28182)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1151-2 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of curl installed on the remote host is prior to 8.3.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2526 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 24.04 LTS. host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6718-3 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-a09456b7a9 advisory.

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-596 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-6dab59bd47 advisory.

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1151-1 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1150-1 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Curl installed on the remote host is between 7.44.0 and prior to 8.7.0. It is, therefore, affected by a memory-leak vulnerability. When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
Further, this error condition fails silently and is therefore not easily detected by an application.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of curl installed on the remote host is prior to 8.7.1. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2024-087-01 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to     use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the     verification and returns OK, thus ignoring any certificate problems. (CVE-2024-2379)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

  - libcurl did not check the server certificate of TLS connections done to a host specified as an IP address,     when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified     hostname was given as an IP address, therefore completely skipping the certificate check. This affects all     uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). (CVE-2024-2466)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6718-2 advisory.

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6718-1 advisory.

  - When a protocol selection parameter option disables all protocols without adding any then the default set     of protocols would remain in the allowed set due to an error in the logic for removing protocols. The     below command would perform a request to curl.se with a plaintext protocol which has been explicitly     disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols     disables the entire set of available protocols, in itself a command with no practical use and therefore     unlikely to be encountered in real situations. The curl security team has thus assessed this to be low     severity bug. (CVE-2024-2004)

  - When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers     for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,     libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
    Further, this error condition fails silently and is therefore not easily detected by an application.
    (CVE-2024-2398)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
195128	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP4 (RHSA-2024:2693)	Nessus	Red Hat Local Security Checks	medium
195091	SUSE SLES15 Security Update : curl (SUSE-SU-2024:1151-2)	Nessus	SuSE Local Security Checks	low
194866	Amazon Linux 2 : curl (ALAS-2024-2526)	Nessus	Amazon Linux Local Security Checks	low
194732	Ubuntu 24.04 LTS. : curl vulnerabilities (USN-6718-3)	Nessus	Ubuntu Local Security Checks	low
194511	Fedora 40 : curl (2024-a09456b7a9)	Nessus	Fedora Local Security Checks	low
194487	Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2024-596)	Nessus	Amazon Linux Local Security Checks	low
193860	Fedora 39 : curl (2024-6dab59bd47)	Nessus	Fedora Local Security Checks	low
193065	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : curl (SUSE-SU-2024:1151-1)	Nessus	SuSE Local Security Checks	low
193060	SUSE SLES12 Security Update : curl (SUSE-SU-2024:1150-1)	Nessus	SuSE Local Security Checks	low
192704	Curl 7.44.0 < 8.7.0 HTTP/2 Push Headers Memory-leak (CVE-2024-2398)	Nessus	Misc.	high
192632	Slackware Linux 15.0 / current curl Multiple Vulnerabilities (SSA:2024-087-01)	Nessus	Slackware Local Security Checks	high
192630	Ubuntu 16.04 LTS / 18.04 LTS : curl vulnerability (USN-6718-2)	Nessus	Ubuntu Local Security Checks	high
192621	Ubuntu 20.04 LTS / 22.04 LTS / 23.10 : curl vulnerabilities (USN-6718-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2024-2398

high

Tenable Plugins

Coming Soon

medium

low

low

low

low

low

low

low

low

high

high

high

high