CVE-2024-2004

Description

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.

Reserved 2024-02-29 | Published 2024-03-27 | Updated 2025-02-13 | Assigner curl

Problem types

CWE-115 Misinterpretation of Input

Product status

Default status
unaffected

8.6.0
affected

8.5.0
affected

8.4.0
affected

8.3.0
affected

8.2.1
affected

8.2.0
affected

8.1.2
affected

8.1.1
affected

8.1.0
affected

8.0.1
affected

8.0.0
affected

7.88.1
affected

7.88.0
affected

7.87.0
affected

7.86.0
affected

7.85.0
affected

Credits

Dan Fandrich finder

Daniel Gustafsson remediation developer

References

curl.se/docs/CVE-2024-2004.json (json)

curl.se/docs/CVE-2024-2004.html (www)

hackerone.com/reports/2384833 (issue)

lists.fedoraproject.org/...GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/

lists.fedoraproject.org/...2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/

www.openwall.com/lists/oss-security/2024/03/27/1

security.netapp.com/advisory/ntap-20240524-0006/

support.apple.com/kb/HT214119

support.apple.com/kb/HT214118

support.apple.com/kb/HT214120

seclists.org/fulldisclosure/2024/Jul/20

seclists.org/fulldisclosure/2024/Jul/18

seclists.org/fulldisclosure/2024/Jul/19

cve.org (CVE-2024-2004)

nvd.nist.gov (CVE-2024-2004)

Download JSON