Low Severity Bug in curl Affects Protocol Selection
CVE-2024-2004

3.5LOW

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 27 March 2024

What is CVE-2024-2004?

A logic flaw in the Curl command line tool allows certain commands to inadvertently enable disabled protocols. When a user configures the protocol selection parameter to disable all available protocols without defining any alternatives, the system retains a default set of protocols due to an oversight in the implementation. This could lead to the execution of requests using a plaintext protocol that the user intended to disable, although such scenarios are largely impractical in everyday use. The Curl security team has evaluated the potential implications and noted that this is not likely to pose a significant threat in common operating environments.

Affected Version(s)

curl 8.6.0

curl 8.5.0

curl 8.4.0

References

https://curl.se/docs/CVE-2024-2004.json

https://curl.se/docs/CVE-2024-2004.html

https://hackerone.com/reports/2384833

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 27, 2024
Vulnerability Reserved
Feb 29, 2024

Credit

Dan Fandrich

Daniel Gustafsson