Lucene search
DfandrichH1:2437131HistoryMar 27, 2024 - 6:16 p.m.
Internet Bug Bounty: Usage of disabled protocol in curl
2024-03-2718:16:37
dfandrich
hackerone.com
$560
37
bug bounty
curl
protocol selection
disabled protocol
security flaw
request security
low severity
When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled.
curl --proto -all,-http http://curl.se
The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.
Impact
Requests can be sent on an unencrypted link even though the application explicitly disabled that.
Related
redhatcve
redhatcve
CVE-2024-2004
2024-03-27 09:26:45
osv
osv
Usage of disabled protocol
2024-03-27 08:00:00
CVE-2024-2004
2024-03-27 08:15:41
curl vulnerabilities
2024-03-27 11:43:38
ubuntucve
ubuntucve
CVE-2024-2004
2024-03-27 00:00:00
debiancve
debiancve
CVE-2024-2004
2024-03-27 08:15:41
hackerone
hackerone
curl: CVE-2024-2004: Usage of disabled protocol
2024-02-21 19:56:12
cgr
cgr
CVE-2024-2004 vulnerabilities
2024-05-19 03:07:16
cvelist
cvelist
CVE-2024-2004 Usage of disabled protocol
2024-03-27 07:54:27
cve
cve
CVE-2024-2004
2024-03-27 08:15:41
veracode
veracode
Logic Error
2024-04-05 20:04:00
alpinelinux
alpinelinux
CVE-2024-2004
2024-03-27 08:15:41
nvd
nvd
CVE-2024-2004
2024-03-27 08:15:41
vulnrichment
vulnrichment
CVE-2024-2004 Usage of disabled protocol
2024-03-27 07:54:27
nessus
nessus
Curl 7.85.0 < 8.7.0 Input Misinterpretation (CVE-2024-2004)
2024-03-29 00:00:00
Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2024-596)
2024-04-29 00:00:00
SUSE SLES12 Security Update : curl (SUSE-SU-2024:1150-1)
2024-04-09 00:00:00
wolfi
wolfi
CVE-2024-2004 vulnerabilities
2024-06-25 15:33:25
openvas
openvas
Fedora: Security Advisory for curl (FEDORA-2024-6dab59bd47)
2024-05-27 00:00:00
openSUSE: Security Advisory for curl (SUSE-SU-2024:1151-1)
2024-04-09 00:00:00
Ubuntu: Security Advisory (USN-6718-1)
2024-03-28 00:00:00
amazon
amazon
Medium: curl
2024-04-24 22:15:00
fedora
fedora
[SECURITY] Fedora 40 Update: curl-8.6.0-8.fc40
2024-04-19 21:41:45
[SECURITY] Fedora 39 Update: curl-8.2.1-5.fc39
2024-04-25 01:20:28
ubuntu
ubuntu
curl vulnerabilities
2024-04-29 00:00:00
curl vulnerabilities
2024-03-27 00:00:00
cloudfoundry
cloudfoundry
USN-6718-1: curl vulnerabilities | Cloud Foundry
2024-05-02 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0233
2024-03-27 00:00:00
Important Photon OS Security Update - PHSA-2024-3.0-0743
2024-03-27 00:00:00
Important Photon OS Security Update - PHSA-2024-4.0-0585
2024-03-27 00:00:00
slackware
slackware
[slackware-security] curl
2024-03-27 19:16:33
mageia
mageia
Updated curl packages fix security vulnerabilities
2024-03-29 06:49:09
redhat
redhat
hp
hp
HP ThinPro 8.0 SP 9 Security Updates
2024-06-17 00:00:00