curl OCSP Stapling fails to reject nonrevoked error statuses
CVE-2024-8096 Published on September 11, 2024

OCSP stapling bypass with GnuTLS
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

NVD

Vulnerability Analysis

CVE-2024-8096 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Weakness Type

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Products Associated with CVE-2024-8096

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-8096 are published in these products:

Oracle

Haxx Curl

Debian Linux

NetApp Ontap Select Deploy Administration Utility

NetApp Active Iq Unified Manager

NetApp Ontap Tools

Affected Versions

curl:

Version 8.9.1, <= 8.9.1 is affected.
Version 8.9.0, <= 8.9.0 is affected.
Version 8.8.0, <= 8.8.0 is affected.
Version 8.7.1, <= 8.7.1 is affected.
Version 8.7.0, <= 8.7.0 is affected.
Version 8.6.0, <= 8.6.0 is affected.
Version 8.5.0, <= 8.5.0 is affected.
Version 8.4.0, <= 8.4.0 is affected.
Version 8.3.0, <= 8.3.0 is affected.
Version 8.2.1, <= 8.2.1 is affected.
Version 8.2.0, <= 8.2.0 is affected.
Version 8.1.2, <= 8.1.2 is affected.
Version 8.1.1, <= 8.1.1 is affected.
Version 8.1.0, <= 8.1.0 is affected.
Version 8.0.1, <= 8.0.1 is affected.
Version 8.0.0, <= 8.0.0 is affected.
Version 7.88.1, <= 7.88.1 is affected.
Version 7.88.0, <= 7.88.0 is affected.
Version 7.87.0, <= 7.87.0 is affected.
Version 7.86.0, <= 7.86.0 is affected.
Version 7.85.0, <= 7.85.0 is affected.
Version 7.84.0, <= 7.84.0 is affected.
Version 7.83.1, <= 7.83.1 is affected.
Version 7.83.0, <= 7.83.0 is affected.
Version 7.82.0, <= 7.82.0 is affected.
Version 7.81.0, <= 7.81.0 is affected.
Version 7.80.0, <= 7.80.0 is affected.
Version 7.79.1, <= 7.79.1 is affected.
Version 7.79.0, <= 7.79.0 is affected.
Version 7.78.0, <= 7.78.0 is affected.
Version 7.77.0, <= 7.77.0 is affected.
Version 7.76.1, <= 7.76.1 is affected.
Version 7.76.0, <= 7.76.0 is affected.
Version 7.75.0, <= 7.75.0 is affected.
Version 7.74.0, <= 7.74.0 is affected.
Version 7.73.0, <= 7.73.0 is affected.
Version 7.72.0, <= 7.72.0 is affected.
Version 7.71.1, <= 7.71.1 is affected.
Version 7.71.0, <= 7.71.0 is affected.
Version 7.70.0, <= 7.70.0 is affected.
Version 7.69.1, <= 7.69.1 is affected.
Version 7.69.0, <= 7.69.0 is affected.
Version 7.68.0, <= 7.68.0 is affected.
Version 7.67.0, <= 7.67.0 is affected.
Version 7.66.0, <= 7.66.0 is affected.
Version 7.65.3, <= 7.65.3 is affected.
Version 7.65.2, <= 7.65.2 is affected.
Version 7.65.1, <= 7.65.1 is affected.
Version 7.65.0, <= 7.65.0 is affected.
Version 7.64.1, <= 7.64.1 is affected.
Version 7.64.0, <= 7.64.0 is affected.
Version 7.63.0, <= 7.63.0 is affected.
Version 7.62.0, <= 7.62.0 is affected.
Version 7.61.1, <= 7.61.1 is affected.
Version 7.61.0, <= 7.61.0 is affected.
Version 7.60.0, <= 7.60.0 is affected.
Version 7.59.0, <= 7.59.0 is affected.
Version 7.58.0, <= 7.58.0 is affected.
Version 7.57.0, <= 7.57.0 is affected.
Version 7.56.1, <= 7.56.1 is affected.
Version 7.56.0, <= 7.56.0 is affected.
Version 7.55.1, <= 7.55.1 is affected.
Version 7.55.0, <= 7.55.0 is affected.
Version 7.54.1, <= 7.54.1 is affected.
Version 7.54.0, <= 7.54.0 is affected.
Version 7.53.1, <= 7.53.1 is affected.
Version 7.53.0, <= 7.53.0 is affected.
Version 7.52.1, <= 7.52.1 is affected.
Version 7.52.0, <= 7.52.0 is affected.
Version 7.51.0, <= 7.51.0 is affected.
Version 7.50.3, <= 7.50.3 is affected.
Version 7.50.2, <= 7.50.2 is affected.
Version 7.50.1, <= 7.50.1 is affected.
Version 7.50.0, <= 7.50.0 is affected.
Version 7.49.1, <= 7.49.1 is affected.
Version 7.49.0, <= 7.49.0 is affected.
Version 7.48.0, <= 7.48.0 is affected.
Version 7.47.1, <= 7.47.1 is affected.
Version 7.47.0, <= 7.47.0 is affected.
Version 7.46.0, <= 7.46.0 is affected.
Version 7.45.0, <= 7.45.0 is affected.
Version 7.44.0, <= 7.44.0 is affected.
Version 7.43.0, <= 7.43.0 is affected.
Version 7.42.1, <= 7.42.1 is affected.
Version 7.42.0, <= 7.42.0 is affected.
Version 7.41.0, <= 7.41.0 is affected.

curl:

Version 7.41.0, <= 8.9.1 is affected.

Exploit Probability

EPSS

0.41%

Percentile

61.12%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

curl OCSP Stapling fails to reject nonrevoked error statusesCVE-2024-8096 Published on September 11, 2024

Vulnerability Analysis

Weakness Type

Improper Certificate Validation

Products Associated with CVE-2024-8096

Affected Versions

Exploit Probability

curl OCSP Stapling fails to reject nonrevoked error statuses
CVE-2024-8096 Published on September 11, 2024