cve-2024-6197
Vulnerability from cvelistv5
Published
2024-07-24 07:29
Modified
2024-08-01 21:33
Severity
7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
freeing stack buffer in utf8asn1str
References
SourceURLTags
2499f714-1537-4658-8207-48ae4bb9eae9http://www.openwall.com/lists/oss-security/2024/07/24/1Mailing List, Third Party Advisory
2499f714-1537-4658-8207-48ae4bb9eae9http://www.openwall.com/lists/oss-security/2024/07/24/5Mailing List, Third Party Advisory
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2024-6197.htmlVendor Advisory
2499f714-1537-4658-8207-48ae4bb9eae9https://curl.se/docs/CVE-2024-6197.jsonVendor Advisory
2499f714-1537-4658-8207-48ae4bb9eae9https://hackerone.com/reports/2559516Exploit, Issue Tracking, Technical Description
Impacted products
VendorProduct
curlcurl
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:curl:curl:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "curl",
            "vendor": "curl",
            "versions": [
              {
                "lessThanOrEqual": "8.8.0",
                "status": "affected",
                "version": "8.6.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-6197",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-24T18:42:30.556099Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T18:44:18.885Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:33:04.981Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "json",
            "tags": [
              "x_transferred"
            ],
            "url": "https://curl.se/docs/CVE-2024-6197.json"
          },
          {
            "name": "www",
            "tags": [
              "x_transferred"
            ],
            "url": "https://curl.se/docs/CVE-2024-6197.html"
          },
          {
            "name": "issue",
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/2559516"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/07/24/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/07/24/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "curl",
          "vendor": "curl",
          "versions": [
            {
              "lessThanOrEqual": "8.8.0",
              "status": "affected",
              "version": "8.8.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.7.1",
              "status": "affected",
              "version": "8.7.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.7.0",
              "status": "affected",
              "version": "8.7.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.6.0",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "z2_"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "z2_"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libcurl\u0027s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-590 Free of Memory not on the Heap",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-24T07:29:50.003Z",
        "orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
        "shortName": "curl"
      },
      "references": [
        {
          "name": "json",
          "url": "https://curl.se/docs/CVE-2024-6197.json"
        },
        {
          "name": "www",
          "url": "https://curl.se/docs/CVE-2024-6197.html"
        },
        {
          "name": "issue",
          "url": "https://hackerone.com/reports/2559516"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/07/24/1"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/07/24/5"
        }
      ],
      "title": "freeing stack buffer in utf8asn1str"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
    "assignerShortName": "curl",
    "cveId": "CVE-2024-6197",
    "datePublished": "2024-07-24T07:29:50.003Z",
    "dateReserved": "2024-06-20T07:20:43.202Z",
    "dateUpdated": "2024-08-01T21:33:04.981Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6197\",\"sourceIdentifier\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"published\":\"2024-07-24T08:15:03.340\",\"lastModified\":\"2024-08-26T15:25:59.960\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"libcurl\u0027s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer.  Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags.  The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.\"},{\"lang\":\"es\",\"value\":\"El analizador ASN1 de libcurl tiene esta funci\u00f3n utf8asn1str() utilizada para analizar una cadena ASN.1 UTF-8. Puede detectar un campo no v\u00e1lido y devolver un error. Desafortunadamente, al hacerlo tambi\u00e9n invoca `free()` en un b\u00fafer localstack de 4 bytes. La mayor\u00eda de las implementaciones modernas de malloc detectan este error y lo abortan inmediatamente. Sin embargo, algunos aceptan el puntero de entrada y agregan esa memoria a su lista de fragmentos disponibles. Esto lleva a la sobrescritura de la memoria de stack. El contenido de la sobrescritura lo decide la implementaci\u00f3n `free()`; Es probable que sean punteros de memoria y un conjunto de banderas. El resultado m\u00e1s probable de explotar este defecto es un colapso, aunque no se puede descartar que se puedan obtener resultados m\u00e1s graves en circunstancias especiales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndExcluding\":\"8.9.0\",\"matchCriteriaId\":\"3D3B1F73-722A-4CD2-B1C4-830050B881D6\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/24/1\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/24/5\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6197.html\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://curl.se/docs/CVE-2024-6197.json\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/2559516\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Technical Description\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.