{"id":"CURL-CVE-2024-2379","summary":"QUIC certificate check bypass with wolfSSL","details":"libcurl skips the certificate verification for a QUIC connection under certain\nconditions, when built to use wolfSSL. If told to use an unknown/bad cipher or\ncurve, the error path accidentally skips the verification and returns OK, thus\nignoring any certificate problems.","aliases":["CVE-2024-2379"],"modified":"2024-09-11T06:13:09.686050Z","published":"2024-03-27T08:00:00Z","database_specific":{"affects":"both","package":"curl","www":"https://curl.se/docs/CVE-2024-2379.html","last_affected":"8.6.0","award":{"currency":"USD","amount":"540"},"CWE":{"desc":"Improper Certificate Validation","id":"CWE-295"},"severity":"Low","issue":"https://hackerone.com/reports/2410774","URL":"https://curl.se/docs/CVE-2024-2379.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.6.0"},{"fixed":"8.7.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"5d044ad9480a9f556f4b6a252d7533b1ba7fe57e"},{"fixed":"aedbbdf18e689a5eee8dc39600914f5eda6c409c"}]}],"versions":["8.6.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2024-2379.json","vanir_signatures":[{"signature_type":"Function","digest":{"length":2335,"function_hash":"308331943041861371639039538192042483189"},"target":{"function":"curl_wssl_init_ctx","file":"lib/vquic/vquic-tls.c"},"signature_version":"v1","deprecated":false,"id":"CURL-CVE-2024-2379-4dbeed5c","source":"https://github.com/curl/curl.git/commit/aedbbdf18e689a5eee8dc39600914f5eda6c409c"},{"signature_type":"Line","digest":{"line_hashes":["304710802608863144525034776543861387669","152849649950337135313138391605629341153","87232486737253111567709053838971761644","301176537118206019688446296485190556977","227298720867210619994722286404526464743","320580059432211571039891998163312159337","126589234890986545332356183811704963214","225157769788319158074990015026053240328","217887743343146381480822658135552967292","34586074150797236395501072178400680375","8058249062824325069705209579206231951","257931542921577543445064989776379055335","319170056292468850829997776446338885613","175102669095967882189577713037523353419","28866816341477307423168021789210657964","258973118936269985264340322446427215516"],"threshold":0.9},"target":{"file":"lib/vquic/vquic-tls.c"},"signature_version":"v1","deprecated":false,"id":"CURL-CVE-2024-2379-5f54d04e","source":"https://github.com/curl/curl.git/commit/aedbbdf18e689a5eee8dc39600914f5eda6c409c"}]}}],"schema_version":"1.7.3","credits":[{"name":"Dexter Gerig","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}