CVE-2024-2398 - Vulnerability Details

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Curl	Curl
Redhat	Enterprise Linux Jboss Core Services Rhel Eus Service Interconnect

No data.

Package	CPE	Advisory	Released Date
JBoss Core Services for RHEL 8
jbcs-httpd24-curl-0:8.7.1-2.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-httpd-0:2.4.57-10.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2024:2693	2024-05-07T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-curl-0:8.7.1-2.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-httpd-0:2.4.57-10.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
jbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2024:2693	2024-05-07T00:00:00Z
Red Hat Enterprise Linux 8
curl-0:7.61.1-34.el8_10.2	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:5654	2024-08-20T00:00:00Z
Red Hat Enterprise Linux 9
curl-0:7.76.1-29.el9_4.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:5529	2024-08-19T00:00:00Z
curl-0:7.76.1-29.el9_4.1	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:5529	2024-08-19T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
curl-0:7.76.1-23.el9_2.7	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:3998	2024-06-20T00:00:00Z
Service Interconnect 1.4 for RHEL 9
service-interconnect/skupper-config-sync-rhel9:1.4.7-3	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-flow-collector-rhel9:1.4.7-3	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-operator-bundle:1.4.7-4	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-router-rhel9:2.4.3-7	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-service-controller-rhel9:1.4.7-3	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-site-controller-rhel9:1.4.7-3	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:10135	2024-11-21T00:00:00Z
service-interconnect/skupper-config-sync-rhel9:1.4.7-2	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
service-interconnect/skupper-flow-collector-rhel9:1.4.7-2	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
service-interconnect/skupper-operator-bundle:1.4.7-2	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
service-interconnect/skupper-router-rhel9:2.4.3-6	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
service-interconnect/skupper-service-controller-rhel9:1.4.7-2	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
service-interconnect/skupper-site-controller-rhel9:1.4.7-2	cpe:/a:redhat:service_interconnect:1.4::el9	RHSA-2024:7213	2024-09-26T00:00:00Z
Service Interconnect 1 for RHEL 9
service-interconnect/skupper-config-sync-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-controller-podman-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-flow-collector-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-operator-bundle:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-router-rhel9:2.5.3-6	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-service-controller-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-site-controller-rhel9:1.5.5-4	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:11109	2024-12-16T00:00:00Z
service-interconnect/skupper-config-sync-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-controller-podman-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-flow-collector-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-operator-bundle:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-router-rhel9:2.5.3-5	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-service-controller-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
service-interconnect/skupper-site-controller-rhel9:1.5.5-3	cpe:/a:redhat:service_interconnect:1::el9	RHSA-2024:7374	2024-09-30T00:00:00Z
Text-Only JBCS
curl	cpe:/a:redhat:jboss_core_services:1	RHSA-2024:2694	2024-05-07T00:00:00Z

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/19
http://seclists.org/fulldisclosure/2024/Jul/20
http://www.openwall.com/lists/oss-security/2024/03/27/3
https://curl.se/docs/CVE-2024-2398.html
https://curl.se/docs/CVE-2024-2398.json
https://hackerone.com/reports/2402845
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
https://nvd.nist.gov/vuln/detail/CVE-2024-2398
https://security.netapp.com/advisory/ntap-20240503-0009/
https://support.apple.com/kb/HT214118
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214120
https://www.cve.org/CVERecord?id=CVE-2024-2398

History

Thu, 13 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
CPEs		cpe:2.3:a:curl:curl:7.4:::::::*
Vendors & Products		Curl Curl curl
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:service_interconnect:1::el9

Thu, 26 Sep 2024 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat service Interconnect
CPEs		cpe:/a:redhat:service_interconnect:1.4::el9
Vendors & Products		Redhat service Interconnect

Wed, 21 Aug 2024 06:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:8

Mon, 19 Aug 2024 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat enterprise Linux

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2024-03-27T07:55:48.524Z

Updated: 2025-02-13T17:40:07.893Z

Reserved: 2024-03-12T10:59:22.660Z

Link: CVE-2024-2398

Vulnrichment

Updated: 2024-08-01T19:11:53.566Z

NVD

Status : Awaiting Analysis

Published: 2024-03-27T08:15:41.283

Modified: 2024-11-21T09:09:39.960

Link: CVE-2024-2398

Redhat

Severity : Moderate

Publid Date: 2024-03-27T00:00:00Z

Links: CVE-2024-2398 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-2398", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-03-12T10:59:22.660Z", "datePublished": "2024-03-27T07:55:48.524Z", "dateUpdated": "2025-02-13T17:40:07.893Z"}, "containers": {"cna": {"title": "HTTP/2 push headers memory-leak", "descriptions": [{"lang": "en", "value": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-29T22:06:29.645Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-772 Missing Release of Resource after Effective Lifetime"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}, {"version": "8.5.0", "status": "affected", "lessThanOrEqual": "8.5.0", "versionType": "semver"}, {"version": "8.4.0", "status": "affected", "lessThanOrEqual": "8.4.0", "versionType": "semver"}, {"version": "8.3.0", "status": "affected", "lessThanOrEqual": "8.3.0", "versionType": "semver"}, {"version": "8.2.1", "status": "affected", "lessThanOrEqual": "8.2.1", "versionType": "semver"}, {"version": "8.2.0", "status": "affected", "lessThanOrEqual": "8.2.0", "versionType": "semver"}, {"version": "8.1.2", "status": "affected", "lessThanOrEqual": "8.1.2", "versionType": "semver"}, {"version": "8.1.1", "status": "affected", "lessThanOrEqual": "8.1.1", "versionType": "semver"}, {"version": "8.1.0", "status": "affected", "lessThanOrEqual": "8.1.0", "versionType": "semver"}, {"version": "8.0.1", "status": "affected", "lessThanOrEqual": "8.0.1", "versionType": "semver"}, {"version": "8.0.0", "status": "affected", "lessThanOrEqual": "8.0.0", "versionType": "semver"}, {"version": "7.88.1", "status": "affected", "lessThanOrEqual": "7.88.1", "versionType": "semver"}, {"version": "7.88.0", "status": "affected", "lessThanOrEqual": "7.88.0", "versionType": "semver"}, {"version": "7.87.0", "status": "affected", "lessThanOrEqual": "7.87.0", "versionType": "semver"}, {"version": "7.86.0", "status": "affected", "lessThanOrEqual": "7.86.0", "versionType": "semver"}, {"version": "7.85.0", "status": "affected", "lessThanOrEqual": "7.85.0", "versionType": "semver"}, {"version": "7.84.0", "status": "affected", "lessThanOrEqual": "7.84.0", "versionType": "semver"}, {"version": "7.83.1", "status": "affected", "lessThanOrEqual": "7.83.1", "versionType": "semver"}, {"version": "7.83.0", "status": "affected", "lessThanOrEqual": "7.83.0", "versionType": "semver"}, {"version": "7.82.0", "status": "affected", "lessThanOrEqual": "7.82.0", "versionType": "semver"}, {"version": "7.81.0", "status": "affected", "lessThanOrEqual": "7.81.0", "versionType": "semver"}, {"version": "7.80.0", "status": "affected", "lessThanOrEqual": "7.80.0", "versionType": "semver"}, {"version": "7.79.1", "status": "affected", "lessThanOrEqual": "7.79.1", "versionType": "semver"}, {"version": "7.79.0", "status": "affected", "lessThanOrEqual": "7.79.0", "versionType": "semver"}, {"version": "7.78.0", "status": "affected", "lessThanOrEqual": "7.78.0", "versionType": "semver"}, {"version": "7.77.0", "status": "affected", "lessThanOrEqual": "7.77.0", "versionType": "semver"}, {"version": "7.76.1", "status": "affected", "lessThanOrEqual": "7.76.1", "versionType": "semver"}, {"version": "7.76.0", "status": "affected", "lessThanOrEqual": "7.76.0", "versionType": "semver"}, {"version": "7.75.0", "status": "affected", "lessThanOrEqual": "7.75.0", "versionType": "semver"}, {"version": "7.74.0", "status": "affected", "lessThanOrEqual": "7.74.0", "versionType": "semver"}, {"version": "7.73.0", "status": "affected", "lessThanOrEqual": "7.73.0", "versionType": "semver"}, {"version": "7.72.0", "status": "affected", "lessThanOrEqual": "7.72.0", "versionType": "semver"}, {"version": "7.71.1", "status": "affected", "lessThanOrEqual": "7.71.1", "versionType": "semver"}, {"version": "7.71.0", "status": "affected", "lessThanOrEqual": "7.71.0", "versionType": "semver"}, {"version": "7.70.0", "status": "affected", "lessThanOrEqual": "7.70.0", "versionType": "semver"}, {"version": "7.69.1", "status": "affected", "lessThanOrEqual": "7.69.1", "versionType": "semver"}, {"version": "7.69.0", "status": "affected", "lessThanOrEqual": "7.69.0", "versionType": "semver"}, {"version": "7.68.0", "status": "affected", "lessThanOrEqual": "7.68.0", "versionType": "semver"}, {"version": "7.67.0", "status": "affected", "lessThanOrEqual": "7.67.0", "versionType": "semver"}, {"version": "7.66.0", "status": "affected", "lessThanOrEqual": "7.66.0", "versionType": "semver"}, {"version": "7.65.3", "status": "affected", "lessThanOrEqual": "7.65.3", "versionType": "semver"}, {"version": "7.65.2", "status": "affected", "lessThanOrEqual": "7.65.2", "versionType": "semver"}, {"version": "7.65.1", "status": "affected", "lessThanOrEqual": "7.65.1", "versionType": "semver"}, {"version": "7.65.0", "status": "affected", "lessThanOrEqual": "7.65.0", "versionType": "semver"}, {"version": "7.64.1", "status": "affected", "lessThanOrEqual": "7.64.1", "versionType": "semver"}, {"version": "7.64.0", "status": "affected", "lessThanOrEqual": "7.64.0", "versionType": "semver"}, {"version": "7.63.0", "status": "affected", "lessThanOrEqual": "7.63.0", "versionType": "semver"}, {"version": "7.62.0", "status": "affected", "lessThanOrEqual": "7.62.0", "versionType": "semver"}, {"version": "7.61.1", "status": "affected", "lessThanOrEqual": "7.61.1", "versionType": "semver"}, {"version": "7.61.0", "status": "affected", "lessThanOrEqual": "7.61.0", "versionType": "semver"}, {"version": "7.60.0", "status": "affected", "lessThanOrEqual": "7.60.0", "versionType": "semver"}, {"version": "7.59.0", "status": "affected", "lessThanOrEqual": "7.59.0", "versionType": "semver"}, {"version": "7.58.0", "status": "affected", "lessThanOrEqual": "7.58.0", "versionType": "semver"}, {"version": "7.57.0", "status": "affected", "lessThanOrEqual": "7.57.0", "versionType": "semver"}, {"version": "7.56.1", "status": "affected", "lessThanOrEqual": "7.56.1", "versionType": "semver"}, {"version": "7.56.0", "status": "affected", "lessThanOrEqual": "7.56.0", "versionType": "semver"}, {"version": "7.55.1", "status": "affected", "lessThanOrEqual": "7.55.1", "versionType": "semver"}, {"version": "7.55.0", "status": "affected", "lessThanOrEqual": "7.55.0", "versionType": "semver"}, {"version": "7.54.1", "status": "affected", "lessThanOrEqual": "7.54.1", "versionType": "semver"}, {"version": "7.54.0", "status": "affected", "lessThanOrEqual": "7.54.0", "versionType": "semver"}, {"version": "7.53.1", "status": "affected", "lessThanOrEqual": "7.53.1", "versionType": "semver"}, {"version": "7.53.0", "status": "affected", "lessThanOrEqual": "7.53.0", "versionType": "semver"}, {"version": "7.52.1", "status": "affected", "lessThanOrEqual": "7.52.1", "versionType": "semver"}, {"version": "7.52.0", "status": "affected", "lessThanOrEqual": "7.52.0", "versionType": "semver"}, {"version": "7.51.0", "status": "affected", "lessThanOrEqual": "7.51.0", "versionType": "semver"}, {"version": "7.50.3", "status": "affected", "lessThanOrEqual": "7.50.3", "versionType": "semver"}, {"version": "7.50.2", "status": "affected", "lessThanOrEqual": "7.50.2", "versionType": "semver"}, {"version": "7.50.1", "status": "affected", "lessThanOrEqual": "7.50.1", "versionType": "semver"}, {"version": "7.50.0", "status": "affected", "lessThanOrEqual": "7.50.0", "versionType": "semver"}, {"version": "7.49.1", "status": "affected", "lessThanOrEqual": "7.49.1", "versionType": "semver"}, {"version": "7.49.0", "status": "affected", "lessThanOrEqual": "7.49.0", "versionType": "semver"}, {"version": "7.48.0", "status": "affected", "lessThanOrEqual": "7.48.0", "versionType": "semver"}, {"version": "7.47.1", "status": "affected", "lessThanOrEqual": "7.47.1", "versionType": "semver"}, {"version": "7.47.0", "status": "affected", "lessThanOrEqual": "7.47.0", "versionType": "semver"}, {"version": "7.46.0", "status": "affected", "lessThanOrEqual": "7.46.0", "versionType": "semver"}, {"version": "7.45.0", "status": "affected", "lessThanOrEqual": "7.45.0", "versionType": "semver"}, {"version": "7.44.0", "status": "affected", "lessThanOrEqual": "7.44.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-2398.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-2398.html", "name": "www"}, {"url": "https://hackerone.com/reports/2402845", "name": "issue"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/3"}, {"url": "https://security.netapp.com/advisory/ntap-20240503-0009/"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "https://support.apple.com/kb/HT214118"}, {"url": "https://support.apple.com/kb/HT214120"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19"}], "credits": [{"lang": "en", "value": "w0x42 on hackerone", "type": "finder"}, {"lang": "en", "value": "Stefan Eissing", "type": "remediation developer"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-2398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-26T18:57:39.256472Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:curl:curl:7.4:*:*:*:*:*:*:*"], "vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "7.44.0", "versionType": "custom", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:30:40.286Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.566Z"}, "title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-2398.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-2398.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2402845", "name": "issue", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/3", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240503-0009/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214118", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214120", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2024-2398.json", "name": "json", "tags": ["x_transferred"]}, {"url": "https://curl.se/docs/CVE-2024-2398.html", "name": "www", "tags": ["x_transferred"]}, {"url": "https://hackerone.com/reports/2402845", "name": "issue", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/3", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240503-0009/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214118", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214120", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:53.566Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-2398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-26T18:57:39.256472Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:curl:curl:7.4:*:*:*:*:*:*:*"], "vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "7.44.0", "versionType": "custom", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-26T18:42:00.755Z"}}], "cna": {"title": "HTTP/2 push headers memory-leak", "credits": [{"lang": "en", "type": "finder", "value": "w0x42 on hackerone"}, {"lang": "en", "type": "remediation developer", "value": "Stefan Eissing"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.0"}, {"status": "affected", "version": "8.4.0", "versionType": "semver", "lessThanOrEqual": "8.4.0"}, {"status": "affected", "version": "8.3.0", "versionType": "semver", "lessThanOrEqual": "8.3.0"}, {"status": "affected", "version": "8.2.1", "versionType": "semver", "lessThanOrEqual": "8.2.1"}, {"status": "affected", "version": "8.2.0", "versionType": "semver", "lessThanOrEqual": "8.2.0"}, {"status": "affected", "version": "8.1.2", "versionType": "semver", "lessThanOrEqual": "8.1.2"}, {"status": "affected", "version": "8.1.1", "versionType": "semver", "lessThanOrEqual": "8.1.1"}, {"status": "affected", "version": "8.1.0", "versionType": "semver", "lessThanOrEqual": "8.1.0"}, {"status": "affected", "version": "8.0.1", "versionType": "semver", "lessThanOrEqual": "8.0.1"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.0.0"}, {"status": "affected", "version": "7.88.1", "versionType": "semver", "lessThanOrEqual": "7.88.1"}, {"status": "affected", "version": "7.88.0", "versionType": "semver", "lessThanOrEqual": "7.88.0"}, {"status": "affected", "version": "7.87.0", "versionType": "semver", "lessThanOrEqual": "7.87.0"}, {"status": "affected", "version": "7.86.0", "versionType": "semver", "lessThanOrEqual": "7.86.0"}, {"status": "affected", "version": "7.85.0", "versionType": "semver", "lessThanOrEqual": "7.85.0"}, {"status": "affected", "version": "7.84.0", "versionType": "semver", "lessThanOrEqual": "7.84.0"}, {"status": "affected", "version": "7.83.1", "versionType": "semver", "lessThanOrEqual": "7.83.1"}, {"status": "affected", "version": "7.83.0", "versionType": "semver", "lessThanOrEqual": "7.83.0"}, {"status": "affected", "version": "7.82.0", "versionType": "semver", "lessThanOrEqual": "7.82.0"}, {"status": "affected", "version": "7.81.0", "versionType": "semver", "lessThanOrEqual": "7.81.0"}, {"status": "affected", "version": "7.80.0", "versionType": "semver", "lessThanOrEqual": "7.80.0"}, {"status": "affected", "version": "7.79.1", "versionType": "semver", "lessThanOrEqual": "7.79.1"}, {"status": "affected", "version": "7.79.0", "versionType": "semver", "lessThanOrEqual": "7.79.0"}, {"status": "affected", "version": "7.78.0", "versionType": "semver", "lessThanOrEqual": "7.78.0"}, {"status": "affected", "version": "7.77.0", "versionType": "semver", "lessThanOrEqual": "7.77.0"}, {"status": "affected", "version": "7.76.1", "versionType": "semver", "lessThanOrEqual": "7.76.1"}, {"status": "affected", "version": "7.76.0", "versionType": "semver", "lessThanOrEqual": "7.76.0"}, {"status": "affected", "version": "7.75.0", "versionType": "semver", "lessThanOrEqual": "7.75.0"}, {"status": "affected", "version": "7.74.0", "versionType": "semver", "lessThanOrEqual": "7.74.0"}, {"status": "affected", "version": "7.73.0", "versionType": "semver", "lessThanOrEqual": "7.73.0"}, {"status": "affected", "version": "7.72.0", "versionType": "semver", "lessThanOrEqual": "7.72.0"}, {"status": "affected", "version": "7.71.1", "versionType": "semver", "lessThanOrEqual": "7.71.1"}, {"status": "affected", "version": "7.71.0", "versionType": "semver", "lessThanOrEqual": "7.71.0"}, {"status": "affected", "version": "7.70.0", "versionType": "semver", "lessThanOrEqual": "7.70.0"}, {"status": "affected", "version": "7.69.1", "versionType": "semver", "lessThanOrEqual": "7.69.1"}, {"status": "affected", "version": "7.69.0", "versionType": "semver", "lessThanOrEqual": "7.69.0"}, {"status": "affected", "version": "7.68.0", "versionType": "semver", "lessThanOrEqual": "7.68.0"}, {"status": "affected", "version": "7.67.0", "versionType": "semver", "lessThanOrEqual": "7.67.0"}, {"status": "affected", "version": "7.66.0", "versionType": "semver", "lessThanOrEqual": "7.66.0"}, {"status": "affected", "version": "7.65.3", "versionType": "semver", "lessThanOrEqual": "7.65.3"}, {"status": "affected", "version": "7.65.2", "versionType": "semver", "lessThanOrEqual": "7.65.2"}, {"status": "affected", "version": "7.65.1", "versionType": "semver", "lessThanOrEqual": "7.65.1"}, {"status": "affected", "version": "7.65.0", "versionType": "semver", "lessThanOrEqual": "7.65.0"}, {"status": "affected", "version": "7.64.1", "versionType": "semver", "lessThanOrEqual": "7.64.1"}, {"status": "affected", "version": "7.64.0", "versionType": "semver", "lessThanOrEqual": "7.64.0"}, {"status": "affected", "version": "7.63.0", "versionType": "semver", "lessThanOrEqual": "7.63.0"}, {"status": "affected", "version": "7.62.0", "versionType": "semver", "lessThanOrEqual": "7.62.0"}, {"status": "affected", "version": "7.61.1", "versionType": "semver", "lessThanOrEqual": "7.61.1"}, {"status": "affected", "version": "7.61.0", "versionType": "semver", "lessThanOrEqual": "7.61.0"}, {"status": "affected", "version": "7.60.0", "versionType": "semver", "lessThanOrEqual": "7.60.0"}, {"status": "affected", "version": "7.59.0", "versionType": "semver", "lessThanOrEqual": "7.59.0"}, {"status": "affected", "version": "7.58.0", "versionType": "semver", "lessThanOrEqual": "7.58.0"}, {"status": "affected", "version": "7.57.0", "versionType": "semver", "lessThanOrEqual": "7.57.0"}, {"status": "affected", "version": "7.56.1", "versionType": "semver", "lessThanOrEqual": "7.56.1"}, {"status": "affected", "version": "7.56.0", "versionType": "semver", "lessThanOrEqual": "7.56.0"}, {"status": "affected", "version": "7.55.1", "versionType": "semver", "lessThanOrEqual": "7.55.1"}, {"status": "affected", "version": "7.55.0", "versionType": "semver", "lessThanOrEqual": "7.55.0"}, {"status": "affected", "version": "7.54.1", "versionType": "semver", "lessThanOrEqual": "7.54.1"}, {"status": "affected", "version": "7.54.0", "versionType": "semver", "lessThanOrEqual": "7.54.0"}, {"status": "affected", "version": "7.53.1", "versionType": "semver", "lessThanOrEqual": "7.53.1"}, {"status": "affected", "version": "7.53.0", "versionType": "semver", "lessThanOrEqual": "7.53.0"}, {"status": "affected", "version": "7.52.1", "versionType": "semver", "lessThanOrEqual": "7.52.1"}, {"status": "affected", "version": "7.52.0", "versionType": "semver", "lessThanOrEqual": "7.52.0"}, {"status": "affected", "version": "7.51.0", "versionType": "semver", "lessThanOrEqual": "7.51.0"}, {"status": "affected", "version": "7.50.3", "versionType": "semver", "lessThanOrEqual": "7.50.3"}, {"status": "affected", "version": "7.50.2", "versionType": "semver", "lessThanOrEqual": "7.50.2"}, {"status": "affected", "version": "7.50.1", "versionType": "semver", "lessThanOrEqual": "7.50.1"}, {"status": "affected", "version": "7.50.0", "versionType": "semver", "lessThanOrEqual": "7.50.0"}, {"status": "affected", "version": "7.49.1", "versionType": "semver", "lessThanOrEqual": "7.49.1"}, {"status": "affected", "version": "7.49.0", "versionType": "semver", "lessThanOrEqual": "7.49.0"}, {"status": "affected", "version": "7.48.0", "versionType": "semver", "lessThanOrEqual": "7.48.0"}, {"status": "affected", "version": "7.47.1", "versionType": "semver", "lessThanOrEqual": "7.47.1"}, {"status": "affected", "version": "7.47.0", "versionType": "semver", "lessThanOrEqual": "7.47.0"}, {"status": "affected", "version": "7.46.0", "versionType": "semver", "lessThanOrEqual": "7.46.0"}, {"status": "affected", "version": "7.45.0", "versionType": "semver", "lessThanOrEqual": "7.45.0"}, {"status": "affected", "version": "7.44.0", "versionType": "semver", "lessThanOrEqual": "7.44.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2024-2398.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2024-2398.html", "name": "www"}, {"url": "https://hackerone.com/reports/2402845", "name": "issue"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/27/3"}, {"url": "https://security.netapp.com/advisory/ntap-20240503-0009/"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "https://support.apple.com/kb/HT214118"}, {"url": "https://support.apple.com/kb/HT214120"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/19"}], "descriptions": [{"lang": "en", "value": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-772 Missing Release of Resource after Effective Lifetime"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2024-07-29T22:06:29.645Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2398", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:40:07.893Z", "dateReserved": "2024-03-12T10:59:22.660Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2024-03-27T07:55:48.524Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application."}, {"lang": "es", "value": "Cuando una aplicaci\u00f3n le dice a libcurl que quiere permitir la inserci\u00f3n del servidor HTTP/2 y la cantidad de encabezados recibidos para la inserci\u00f3n supera el l\u00edmite m\u00e1ximo permitido (1000), libcurl cancela la inserci\u00f3n del servidor. Al cancelar, libcurl inadvertidamente no libera todos los encabezados previamente asignados y, en cambio, pierde memoria. Adem\u00e1s, esta condici\u00f3n de error falla silenciosamente y, por lo tanto, una aplicaci\u00f3n no la detecta f\u00e1cilmente."}], "id": "CVE-2024-2398", "lastModified": "2024-11-21T09:09:39.960", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-27T08:15:41.283", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/19"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "http://www.openwall.com/lists/oss-security/2024/03/27/3"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2024-2398.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2024-2398.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://hackerone.com/reports/2402845"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://security.netapp.com/advisory/ntap-20240503-0009/"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214118"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214119"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://support.apple.com/kb/HT214120"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/27/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://curl.se/docs/CVE-2024-2398.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://curl.se/docs/CVE-2024-2398.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://hackerone.com/reports/2402845"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240503-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214118"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214120"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:8.7.1-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.7.1-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:5654", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "curl-0:7.61.1-34.el8_10.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-20T00:00:00Z"}, {"advisory": "RHSA-2024:5529", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-29.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:5529", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-29.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-19T00:00:00Z"}, {"advisory": "RHSA-2024:3998", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "curl-0:7.76.1-23.el9_2.7", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.4.7-3", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.4.7-3", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-operator-bundle:1.4.7-4", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-router-rhel9:2.4.3-7", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.4.7-3", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:10135", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.4.7-3", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-11-21T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.4.7-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.4.7-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-operator-bundle:1.4.7-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-router-rhel9:2.4.3-6", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.4.7-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:7213", "cpe": "cpe:/a:redhat:service_interconnect:1.4::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.4.7-2", "product_name": "Service Interconnect 1.4 for RHEL 9", "release_date": "2024-09-26T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.5.3-6", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:11109", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.5.5-4", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-config-sync-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-container-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-controller-podman-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-flow-collector-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-operator-bundle:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-router-rhel9:2.5.3-5", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-service-controller-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:7374", "cpe": "cpe:/a:redhat:service_interconnect:1::el9", "package": "service-interconnect/skupper-site-controller-rhel9:1.5.5-3", "product_name": "Service Interconnect 1 for RHEL 9", "release_date": "2024-09-30T00:00:00Z"}, {"advisory": "RHSA-2024:2694", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "Text-Only JBCS", "release_date": "2024-05-07T00:00:00Z"}], "bugzilla": {"description": "curl: HTTP/2 push headers memory-leak", "id": "2270498", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270498"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-772", "details": ["When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", "A flaw was found in curl. When an application configures libcurl to use HTTP/2 server push and the amount of received headers for the push surpasses the maximum allowed limit, libcurl aborts the server push. When aborting, libcurl does not free all the previously allocated headers, resulting in a memory leak."], "name": "CVE-2024-2398", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-curl", "product_name": "Red Hat Software Collections"}], "public_date": "2024-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-2398\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2398\nhttps://curl.se/docs/CVE-2024-2398.html"], "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object