CVE-2024-9681 — Incorrect Comparison in Curl
Severity
6.5MEDIUMNVD
EPSS
0.7%
top 27.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedNov 6
Latest updateApr 1
Description
When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
otherwise intended.
This affects curl using applications that enable HSTS and use URLs with the
insecure `HTTP://` scheme and perform transfers with hosts like
`x.example.com` as well as `example.com` where the first host is a subdomain
of the second host.
(The HSTS cache either needs to have been populated manually or there needs to
have been previo…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:LExploitability: 2.2 | Impact: 4.2
Patches
🔴Vulnerability Details
4OSV▶
CVE-2024-9681: When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
othe↗2024-11-06
GHSA▶
GHSA-g337-g667-mjvw: When curl is asked to use HSTS, the expiry time for a subdomain might
overwrite a parent domain's cache entry, making it end sooner or later than
othe↗2024-11-06
OSV▶
CVE-2024-9681: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than othe↗2024-11-06