{"id":"CURL-CVE-2024-8096","summary":"OCSP stapling bypass with GnuTLS","details":"When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as OCSP stapling, to verify that the server certificate is valid,\nit might fail to detect some OCSP problems and instead wrongly consider the\nresponse as fine.\n\nIf the returned status reports another error than \"revoked\" (like for example\n\"unauthorized\") it is not treated as a bad certificate.","aliases":["CVE-2024-8096"],"modified":"2026-05-18T23:10:23.259854Z","published":"2024-09-11T08:00:00Z","database_specific":{"severity":"Medium","URL":"https://curl.se/docs/CVE-2024-8096.json","CWE":{"desc":"Improper Certificate Validation","id":"CWE-295"},"package":"curl","last_affected":"8.9.1","affects":"both","issue":"https://hackerone.com/reports/2669852","award":{"currency":"USD","amount":"2540"},"www":"https://curl.se/docs/CVE-2024-8096.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.41.0"},{"fixed":"8.10.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"f13669a375f5bfd14797bda91642cabe076974fa"},{"fixed":"aeb1a281cab13c7ba791cb104e556b20e713941f"}]}],"versions":["8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0","curl-7_75_0","curl-7_74_0","curl-7_73_0","curl-7_72_0","curl-7_71_1","curl-7_71_0","curl-7_70_0","curl-7_69_1","curl-7_69_0","curl-7_68_0","curl-7_67_0","curl-7_66_0","curl-7_65_3","curl-7_65_2","curl-7_65_1","curl-7_65_0","curl-7_64_1","curl-7_64_0","curl-7_63_0","curl-7_62_0","curl-7_61_1","curl-7_61_0","curl-7_60_0","curl-7_59_0","curl-7_58_0","curl-7_57_0","curl-7_56_1","curl-7_56_0","curl-7_55_1","curl-7_55_0","curl-7_54_1","curl-7_54_0","curl-7_53_1","curl-7_53_0","curl-7_52_1","curl-7_52_0","curl-7_51_0","curl-7_50_3","curl-7_50_2","curl-7_50_1","curl-7_50_0","curl-7_49_1","curl-7_49_0","curl-7_48_0","curl-7_47_1","curl-7_47_0","curl-7_46_0","curl-7_45_0","curl-7_44_0","curl-7_43_0","curl-7_42_0","curl-7_41_0"],"database_specific":{"vanir_signatures":[{"digest":{"length":9318,"function_hash":"240788416469107111537004525007068725322"},"signature_type":"Function","target":{"function":"Curl_gtls_verifyserver","file":"lib/vtls/gtls.c"},"source":"https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f","id":"CURL-CVE-2024-8096-486f8565","signature_version":"v1","deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["303117184947371648792287720611573599118","209946621648742505282756681371815696822","195591179407284657172564313670975308623","58328545754894194640591627435341655549","95852057744293436852001373831703156195","103394213132727310856852927951854566748","265721200941466069487320513987856136607","41726117843492183422027861814872071364","93634130137749873784555808535060409648","36496307838867237812167335780157981804","303844972261704133370078214546791099517","57544969043197931985774335346816809235","17443935767711712262649956180927625143","20109761154480960718460861733647033934","254935086391607542514916564041298854852","148269691299838833912186189299672587512","259140078773706719993079486444571716333","203181427056380040823533688450215684990","47846369047818349017433408976724459051","44854094618002595715182905123762901579","312607733140109101913732261544273906056","82703385633838250685135480737551663542","228626524780139345350987357133924705522","203181427056380040823533688450215684990","80550658282220164429355629002100639109","281327666176597866186361204568484048606","191541904504918446144214037030147982793","125103390510382766955997894677199713617","260554357988199540263737723795941763094","51013153307094541351030497341199171712","102141001015462078839835304458210286502","177997019633562104538978427639838293596","193929651919615858575658013238139305612","149926588059651429960438420690834169786","283100006604064684128108550907612050120","265689625694951369703406636569609049864","187184063256316406878454923276034075034","239425292115393199983444689712585190825","276313841266331685073047625962559528790","125669466248079838760771227798062833996","339102750152923158942446647374771129529","127395975702418494520108209120809922850","43770406347483928085718112032439592744","327659262120512568344171665143917071012","120466021912215999623476059726350455246","272786504616296406921824660943653120038","52491747266315605936408463216198803780","26126299607406525187548261507401676668","291577339880273662000775822736560720017","259616369283920951072325679322188303090","226042970205782793379263274643633089194","92942956495767865323894852428637394263","178144389214233096537729542793578703439","294571860271041379193214312423135354510","289018515318230143023015659699561767394","18160697337673836785113654535079232469","211928128971544311528271404631029382062","281846703668675072436134810393552302359","60538710630836866295679039879265890422","216834106973258000191699976465544991138","289531348347477374609171095856678128318","30690057042575772555072697040419173143","220778866905613532973818531948211751499","319504175873325593195405319580300611012","38222949992890941852590702405023012522","322744630424715530993550610748154172913","264581629138938009987548611517325837027","43754896390189873076651383918988819886","321406363132245855614712275813059961371","275327300807653865996223000837748693968","43025168033754054695641767280077062912","197534042954744831965324262027666772592","179472844240100665577428080087573288249","294586968689328130003269244932619652262","33713397027158062049495689690895931117","203585396085000052671222351349104537035","312145221287237065140509195645921649518","327123428392919230846603042839908051814","263674154252261821814350730511324913570","139029705847748754469162768785573836257"]},"signature_type":"Line","target":{"file":"lib/vtls/gtls.c"},"source":"https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f","id":"CURL-CVE-2024-8096-58d2d761","signature_version":"v1","deprecated":false},{"digest":{"length":4882,"function_hash":"297140625402079151609682920819686662593"},"signature_type":"Function","target":{"function":"gtls_client_init","file":"lib/vtls/gtls.c"},"source":"https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f","id":"CURL-CVE-2024-8096-7035e3bd","signature_version":"v1","deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2024-8096.json","vanir_signatures_modified":"2026-05-18T23:10:23Z"}}],"schema_version":"1.7.5","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}