CVE-2024-8096

moderate-risk

Published 2024-09-11

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

Do I need to act?

0.52% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (10)

Curl

Debian Linux

Active Iq Unified Manager

Ontap Select Deploy Administration Utility

Ontap Tools

Bootstrap Os

H300S Firmware

H410S Firmware

H500S Firmware

H700S Firmware

Affected Vendors

Debian Haxx Netapp

References (6)

Vendor Advisory https://curl.se/docs/CVE-2024-8096.html

Vendor Advisory https://curl.se/docs/CVE-2024-8096.json

Exploit https://hackerone.com/reports/2669852

Mailing List http://www.openwall.com/lists/oss-security/2024/09/11/1

Mailing List https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20241011-0005/

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 16/34 · Moderate