CVE-2024-2379 Information

Mar 28, 2024 cve

Description

libcurl skips the certificate verification for a QUIC connection under certain conditions when built to use wolfSSL. If told to use an unknown/bad cipher or curve the error path accidentally skips the verification and returns OK thus ignoring any certificate problems.

Reference

cve@curl.se https://curl.se/docs/CVE-2024-2379.json https://curl.se/docs/CVE-2024-2379.html https://hackerone.com/reports/2410774 libcurl skips the certificate verification for a QUIC connection under certain conditions when built to use wolfSSL. If told to use an unknown/bad cipher or curve the error path accidentally skips the verification and returns OK thus ignoring any certificate problems.

Share on: