CVE-2024-2398 : When an application tells libcurl it wants to allow HTTP/2 server push, and the

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Published 2024-03-27 08:15:41

Updated 2024-07-30 02:15:05

Source curl

View at NVD, CVE.org

Products affected by CVE-2024-2398

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-2398

EPSS FAQ

2.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 86 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-2398

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L	3.9	4.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: Low
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	RedHat-CVE-2024-2398	2024-03-27
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

References for CVE-2024-2398

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/

[SECURITY] Fedora 39 Update: curl-8.2.1-5.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://hackerone.com/reports/2402845

Sign in | HackerOne
http://seclists.org/fulldisclosure/2024/Jul/20

Full Disclosure: APPLE-SA-07-29-2024-6 macOS Monterey 12.7.6

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2024/03/27/3

oss-security - [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/

[SECURITY] Fedora 40 Update: curl-8.6.0-8.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://curl.se/docs/CVE-2024-2398.json
https://curl.se/docs/CVE-2024-2398.html

curl - HTTP/2 push headers memory-leak - CVE-2024-2398
http://seclists.org/fulldisclosure/2024/Jul/19

Full Disclosure: APPLE-SA-07-29-2024-5 macOS Ventura 13.6.8

CVEs referencing this url
https://support.apple.com/kb/HT214120

About the security content of macOS Ventura 13.6.8 - Apple Support

CVEs referencing this url
https://support.apple.com/kb/HT214119

About the security content of macOS Sonoma 14.6 - Apple Support

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20240503-0009/

CVE-2024-2398 curl Vulnerability in NetApp Products | NetApp Product Security
http://seclists.org/fulldisclosure/2024/Jul/18

Full Disclosure: APPLE-SA-07-29-2024-4 macOS Sonoma 14.6

CVEs referencing this url
https://support.apple.com/kb/HT214118

About the security content of macOS Monterey 12.7.6 - Apple Support

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-2398

Products affected by CVE-2024-2398

Exploit prediction scoring system (EPSS) score for CVE-2024-2398

CVSS scores for CVE-2024-2398

References for CVE-2024-2398