CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
17.6%
Vulnerabilities in Curl could allow a remote attacker to bypass security restrictions (CVE-2024-2466, CVE-2024-2004, CVE-2024-2379) or cause a denial of service (CVE-2024-2398). PowerSC uses Curl as part of PowerSC Trusted Network Connect (TNC).
CVEID:CVE-2024-2466
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when built to use mbedTLS. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass TLS certificate check.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286431 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-2004
**DESCRIPTION:**cURL libcurl could allow a local attacker to bypass security restrictions, caused by a lfaw in the logic for removing protocols. By sending a specially crafted request, an attacker could exploit this vulnerability to use the disabled set of protocols.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286427 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-2379
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when wolfSSL library was built with the OPENSSL_COMPATIBLE_DEFAULTS symbol set. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass certificate verification for a QUIC connection.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-2398
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a memory leak when allowing HTTP/2 server push. By sending a specially crafted PUSH_PROMISE frames with an excessive amount of headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286430 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
PowerSC | 1.3, 2.0, 2.1, 2.2 |
The vulnerabilities in the following filesets are being addressed:
Fileset | Lower Level | Upper Level |
---|---|---|
powerscStd.tnc_pm | 1.3.0.4 | 2.2.0.2 |
curl-8.7.1-1.aix7.1.ppc.rpm | 7.19.4 | 8.6.0 |
Note: To find out whether the affected PowerSC filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide. To find out whether the affected curl filesets are installed on your systems, refer to the rpm command found in AIX user’s guide.
Example: lslpp -l | grep powerscStd
Example: rpm -qa | grep curl
FIXES
IBM strongly recommends addressing the vulnerability now.
Fixes are available.
The fixes can be downloaded via yum:
To install any dependencies along with the fix package:
yum update curl
None
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
17.6%