cURL: Mehrere Schwachstellen
Multiple security vulnerabilities have been identified in the curl client software, which supports file transfers over protocols such as HTTP and FTP. One issue (CVE-2024-2004) involves curl incorrectly using default protocols when all protocols are disabled via parameters, affecting Ubuntu 23. 10. Another vulnerability (CVE-2024-2398) relates to improper memory handling when limiting HTTP headers during HTTP/2 server push, potentially allowing remote denial of service. These issues affect various Ubuntu releases and have been addressed in updated package versions.
AI Analysis
Technical Summary
The curl client software contains several vulnerabilities including CVE-2024-2004, where curl incorrectly defaults to a set of protocols despite parameters disabling all protocols, specifically impacting Ubuntu 23.10. Additionally, CVE-2024-2398 describes improper memory handling when limiting HTTP headers under HTTP/2 server push, which could be exploited remotely to cause resource exhaustion and denial of service. These vulnerabilities have been fixed in updated curl packages for multiple Ubuntu releases, including 23.10, 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS.
Potential Impact
The vulnerabilities can lead to unexpected protocol usage (CVE-2024-2004) and denial of service via resource exhaustion (CVE-2024-2398) when curl processes HTTP/2 server push headers. Remote attackers could exploit these flaws to disrupt services relying on curl. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Fixes for these vulnerabilities are available through standard system updates on affected Ubuntu versions. Users should update curl and related libcurl packages to the versions specified in the Ubuntu advisories USN-6718-1, USN-6718-2, and USN-6718-3. For Ubuntu Pro users, extended security coverage is available. No additional mitigation beyond applying these official updates is required.
cURL: Mehrere Schwachstellen
Description
Multiple security vulnerabilities have been identified in the curl client software, which supports file transfers over protocols such as HTTP and FTP. One issue (CVE-2024-2004) involves curl incorrectly using default protocols when all protocols are disabled via parameters, affecting Ubuntu 23. 10. Another vulnerability (CVE-2024-2398) relates to improper memory handling when limiting HTTP headers during HTTP/2 server push, potentially allowing remote denial of service. These issues affect various Ubuntu releases and have been addressed in updated package versions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The curl client software contains several vulnerabilities including CVE-2024-2004, where curl incorrectly defaults to a set of protocols despite parameters disabling all protocols, specifically impacting Ubuntu 23.10. Additionally, CVE-2024-2398 describes improper memory handling when limiting HTTP headers under HTTP/2 server push, which could be exploited remotely to cause resource exhaustion and denial of service. These vulnerabilities have been fixed in updated curl packages for multiple Ubuntu releases, including 23.10, 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS.
Potential Impact
The vulnerabilities can lead to unexpected protocol usage (CVE-2024-2004) and denial of service via resource exhaustion (CVE-2024-2398) when curl processes HTTP/2 server push headers. Remote attackers could exploit these flaws to disrupt services relying on curl. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Fixes for these vulnerabilities are available through standard system updates on affected Ubuntu versions. Users should update curl and related libcurl packages to the versions specified in the Ubuntu advisories USN-6718-1, USN-6718-2, and USN-6718-3. For Ubuntu Pro users, extended security coverage is available. No additional mitigation beyond applying these official updates is required.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_base
- Csaf Version
- 2.0
- Publisher
- Bundesamt für Sicherheit in der Informationstechnik
- Advisory Id
- WID-SEC-W-2024-0726
- Cve Count
- 4
- Additional Cves
- ["CVE-2024-2379","CVE-2024-2398","CVE-2024-2466"]
- Cvss Version
- null
Threat ID: 6a27e99e8dd33fbd8516c500
Added to database: 6/9/2026, 10:23:26 AM
Last enriched: 6/9/2026, 10:44:40 AM
Last updated: 6/10/2026, 5:03:49 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.