Main Vulnerability Database SB2024110621

SB2024110621 - Incorrect HSTS cache handling in cURL

Published: November 6, 2024

Security Bulletin ID SB2024110621

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Comparison using wrong factors (CVE-ID: CVE-2024-9681)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error in HSTS cache implementation. When curl is asked to use HSTS, the expiry time for a subdomain can overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This can lead to situations when the website becomes unavailable or force the client to switch to HTTP from HTTP connection earlier than intended.

Remediation

Install update from vendor's website.

References

https://curl.haxx.se/docs/CVE-2024-9681.html