CVE-2024-2466 — Improper Validation of Certificate with Host Mismatch in Apple Macos

CWE-297 — Improper Validation of Certificate with Host Mismatch12 documents9 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 64.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Apple Macos Curl

Timeline

PublishedMar 27

Latest updateJul 29

Description

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶NVDhaxx/curl8.5.0 — 8.7.0

▶NVDapple/macos13.0 — 13.6.8+2

▶Debianhaxx/curl< 8.7.1-1+1

▶CVEListV5curl/curl8.6.0 — 8.6.0+1

🔴Vulnerability Details

GHSA

GHSA-9xr6-qf7m-2jv5: libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS↗2024-03-27

▶

CVEList

TLS certificate check bypass with mbedTLS↗2024-03-27

▶

OSV

CVE-2024-2466: libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS↗2024-03-27

▶

📋Vendor Advisories

Apple

CVE-2024-2466: macOS Sonoma 14.6↗2024-07-29

▶

Apple

CVE-2024-2466: macOS Ventura 13.6.8↗2024-07-29

▶

Apple

CVE-2024-2466: macOS Monterey 12.7.6↗2024-07-29

▶

Red Hat

curl: TLS certificate check bypass with mbedTLS↗2024-03-27

▶

Microsoft

TLS certificate check bypass with mbedTLS↗2024-03-12

▶

💬Community

HackerOne

CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)↗2024-03-29

▶

HackerOne

CVE-2024-2466: TLS certificate check bypass with mbedTLS↗2024-03-27

▶