Lucene search

K
mageiaGentoo FoundationMGASA-2024-0099
HistoryMar 29, 2024 - 6:49 a.m.

Updated curl packages fix security vulnerabilities

2024-03-2906:49:09
Gentoo Foundation
advisories.mageia.org
30
curl
packages
security
vulnerabilities
cve-2024-2004
disabled protocol
cve-2024-2398
http/2
memory-leak

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

17.6%

CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers.

OSVersionArchitecturePackageVersionFilename
Mageia9noarchcurl< 7.88.1-4.3curl-7.88.1-4.3.mga9

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

AI Score

7.2

Confidence

Low

EPSS

0.001

Percentile

17.6%