libcurl Bypass TLS Cert Check for IP Address with mbedTLS
CVE-2024-2466 Published on March 27, 2024
TLS certificate check bypass with mbedTLS
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
Vulnerability Analysis
CVE-2024-2466 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-2466. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Improper Validation of Certificate with Host Mismatch
The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
Products Associated with CVE-2024-2466
stack.watch emails you whenever new vulnerabilities are published in Haxx Curl or Apple macOS. Just hit a watch button to start following.
Affected Versions
curl:- Version 8.6.0, <= 8.6.0 is affected.
- Version 8.5.0, <= 8.5.0 is affected.
- Version 8.5.0, <= 8.6.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.