QwikSec

Security Database

CVE

CWE

Training

CVE-2024-2398

Published: Mar 27, 2024

Modified: Feb 13, 2025

PUBLISHED

Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Vendor	Product	Versions
curl	curl	affected `8.6.0 - <= 8.6.0` affected `8.5.0 - <= 8.5.0` affected `8.4.0 - <= 8.4.0` affected `8.3.0 - <= 8.3.0` affected `8.2.1 - <= 8.2.1` +72 more versions

References

https://lists.fedoraproject.org/archives/list/[email protected]/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/

https://lists.fedoraproject.org/archives/list/[email protected]/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/

http://www.openwall.com/lists/oss-security/2024/03/27/3

https://security.netapp.com/advisory/ntap-20240503-0009/

https://support.apple.com/kb/HT214119

https://support.apple.com/kb/HT214118

https://support.apple.com/kb/HT214120

http://seclists.org/fulldisclosure/2024/Jul/20

http://seclists.org/fulldisclosure/2024/Jul/18

http://seclists.org/fulldisclosure/2024/Jul/19

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.