#VU87850 Missing Release of Resource after Effective Lifetime in cURL - CVE-2024-2398


Vulnerability identifier: #VU87850

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-2398

CWE-ID: CWE-772

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when sending HTTP/2 server push responses with an overly large number of headers. A remote attacker can send PUSH_PROMISE frames with an excessive amount of headers to the application, trigger memory leak and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.44.0 - 8.6.0

External links
http://curl.haxx.se/docs/CVE-2024-2398.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM watsonx Assistant for IBM Cloud Pak for Data update for cURL libcurl
Multiple vulnerabilities in Multicluster GlobalHub 1.2
Multiple vulnerabilities in IBM Storage Copy Data Management
Multiple vulnerabilities in Guardium Data Security Center
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.11
Multiple vulnerabilities in Service Interconnect
Multiple vulnerabilities in Red Hat OpenStack 16.2 packages
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.12
Multiple vulnerabilities in Multicluster Engine for Kubernetes 2.7
Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak