CVE-2024-8096

CWE-295Improper Certificate ValidationCWE-133611 documents11 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 33.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Haxx CurlCurl CurlDebian Debian Linux+1 more
Timeline
PublishedSep 11
Latest updateJan 15

Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

NVDhaxx/curl7.41.08.10.0
Debiancurl< 7.74.0-1.3+deb11u14+3
CVEListV5curl/curl8.9.18.9.1+85

Also affects: Ontap Tools 10, Debian Linux 11.0

🔴Vulnerability Details

4
CVEList
OCSP stapling bypass with GnuTLS2024-09-11
OSV
CVE-2024-8096: When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is va2024-09-11
GHSA
GHSA-gv3v-x3f3-7fxm: When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is va2024-09-11
GHSA
Insecure Jinja2 templates rendered in Haystack Components can lead to RCE2024-07-31

📋Vendor Advisories

5
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Mod_Security (curl) — CVE-2024-80962025-01-15
Ubuntu
curl vulnerability2024-09-16
Red Hat
curl: OCSP stapling bypass with GnuTLS2024-09-11
Microsoft
OCSP stapling bypass with GnuTLS2024-09-10
Debian
CVE-2024-8096: curl - When curl is told to use the Certificate Status Request TLS extension, often ref...2024

💬Community

1
HackerOne
CVE-2024-8096: OCSP stapling bypass with GnuTLS2024-09-11
CVE-2024-8096 (MEDIUM CVSS 6.5) | When curl is told to use the Certif | cvebase.io