Alpine: libcurl, multiple curl packages: security update to 8.7.1-r0

high Tenable Self-Hosted Container Security Plugin ID 423817

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- When a protocol selection parameter option disables all protocols without adding any then the default set
of protocols would remain in the allowed set due to an error in the logic for removing protocols. The
below command would perform a request to curl.se with a plaintext protocol which has been explicitly
disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols
disables the entire set of available protocols, in itself a command with no practical use and therefore
unlikely to be encountered in real situations. The curl security team has thus assessed this to be low
severity bug. (CVE-2024-2004)

- libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to
use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the
verification and returns OK, thus ignoring any certificate problems. (CVE-2024-2379)

- When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers
for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting,
libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory.
Further, this error condition fails silently and is therefore not easily detected by an application.
(CVE-2024-2398)

- libcurl did not check the server certificate of TLS connections done to a host specified as an IP address,
when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified
hostname was given as an IP address, therefore completely skipping the certificate check. This affects all
uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). (CVE-2024-2466)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-2004

https://security.alpinelinux.org/vuln/CVE-2024-2379

https://security.alpinelinux.org/vuln/CVE-2024-2398

https://security.alpinelinux.org/vuln/CVE-2024-2466

Plugin Details

Severity: High

ID: 423817

Version: Revision 1.12

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Tenable Self-Hosted Container Security, Agentless Assessment, Tenable Cloud Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.61

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:P

CVSS Score Source: CVE-2024-2398

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/12/2023

Reference Information

CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466

IAVA: 2024-A-0185-S