Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-2466

Date: March 27, 2024

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Language: C

Severity Score

Related Resources (18)

https://seclists.org/oss-sec/2024/q1/256
https://support.apple.com/kb/HT214118
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
https://github.com/curl/curl/commit/3d0fd382a29b95561b90b7ea3e7e
https://hackerone.com/reports/2416725
https://curl.se/docs/CVE-2024-2466.html
https://security.netapp.com/advisory/ntap-20240503-0010/
https://curl.se/docs/CVE-2024-2466.json
https://support.apple.com/kb/HT214119
https://security-tracker.debian.org/tracker/CVE-2024-2466
https://www.vicarius.io/vsociety/posts/tls-certificate-check-bypass-curl-with-mbedtls-cve-2024-2466-2468
https://security.alpinelinux.org/vuln/CVE-2024-2466
https://support.apple.com/kb/HT214120
https://nvd.nist.gov/vuln/detail/CVE-2024-2466
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/4
https://www.mend.io/vulnerability-database/CVE-2024-2466

Severity Score

Weakness Type (CWE)

Improper Validation of Certificate with Host Mismatch

CWE-297

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us