Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Published

2024-03-27T08:15:41.283

Last Modified

2025-07-30T19:42:27.063

Status

Analyzed

Source

2499f714-1537-4658-8207-48ae4bb9eae9

Severity

CVSSv3.1: 8.6 (HIGH)

Weaknesses

Type: Primary
CWE-772

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 8.7.0	Yes
Operating System	apple	macos	< 12.7.6	Yes
Operating System	apple	macos	< 13.6.8	Yes
Operating System	apple	macos	< 14.6	Yes
Operating System	fedoraproject	fedora	39	Yes
Operating System	fedoraproject	fedora	40	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	ontap_select_deploy_administration_utility	-	Yes
Operating System	netapp	brocade_fabric_operating_system	-	Yes
Operating System	netapp	bootstrap_os	-	Yes
Hardware	netapp	hci_compute_node	-	No
Operating System	netapp	h300s_firmware	-	Yes
Hardware	netapp	h300s	-	No
Operating System	netapp	h410s_firmware	-	Yes
Hardware	netapp	h410s	-	No
Operating System	netapp	h500s_firmware	-	Yes
Hardware	netapp	h500s	-	No
Operating System	netapp	h610c_firmware	-	Yes
Hardware	netapp	h610c	-	No
Operating System	netapp	h610s_firmware	-	Yes
Hardware	netapp	h610s	-	No
Operating System	netapp	h615c_firmware	-	Yes
Hardware	netapp	h615c	-	No
Operating System	netapp	h700s_firmware	-	Yes
Hardware	netapp	h700s	-	No

References

http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
http://seclists.org/fulldisclosure/2024/Jul/19 Mailing List, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
http://seclists.org/fulldisclosure/2024/Jul/20 Mailing List, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
http://www.openwall.com/lists/oss-security/2024/03/27/3 Mailing List, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://curl.se/docs/CVE-2024-2398.html Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://curl.se/docs/CVE-2024-2398.json Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://hackerone.com/reports/2402845 Exploit, Issue Tracking, Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/ Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/ Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://security.netapp.com/advisory/ntap-20240503-0009/ Third Party Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://support.apple.com/kb/HT214118 Release Notes, Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://support.apple.com/kb/HT214119 Release Notes, Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
https://support.apple.com/kb/HT214120 Release Notes, Vendor Advisory (2499f714-1537-4658-8207-48ae4bb9eae9)
http://seclists.org/fulldisclosure/2024/Jul/18 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jul/19 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jul/20 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2024/03/27/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://curl.se/docs/CVE-2024-2398.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://curl.se/docs/CVE-2024-2398.json Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/2402845 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240503-0009/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214118 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214119 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT214120 Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)