Lucene search

K
osvGoogleOSV:CURL-CVE-2024-2466
HistoryMar 27, 2024 - 8:00 a.m.

TLS certificate check bypass with mbedTLS

2024-03-2708:00:00
Google
osv.dev
12
tls certificate bypass
mbedtls
libcurl
ip address hosts
certificate check
software
https
ftps
imaps
pop3
smtps

AI Score

5

Confidence

High

EPSS

0

Percentile

13.5%

libcurl did not check the server certificate of TLS connections done to a host
specified as an IP address, when built to use mbedTLS.

libcurl would wrongly avoid using the set hostname function when the specified
hostname was given as an IP address, therefore completely skipping the
certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS,
POPS3, SMTPS, etc).