Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
CVE has been recently published to the CVE List and has been received by the NVD.
Products
libcurl
Source
2499f714-1537-4658-8207-48ae4bb9eae9
Tags
CVE-2024-7264 details
Published : July 31, 2024, 8:15 a.m.
Last Modified : July 31, 2024, 12:57 p.m.
Last Modified : July 31, 2024, 12:57 p.m.
Description
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
References
URL | Source |
---|---|
http://www.openwall.com/lists/oss-security/2024/07/31/1 | 2499f714-1537-4658-8207-48ae4bb9eae9 |
https://curl.se/docs/CVE-2024-7264.html | 2499f714-1537-4658-8207-48ae4bb9eae9 |
https://curl.se/docs/CVE-2024-7264.json | 2499f714-1537-4658-8207-48ae4bb9eae9 |
https://hackerone.com/reports/2629968 | 2499f714-1537-4658-8207-48ae4bb9eae9 |
This website uses the NVD API, but is not approved or certified by it.