CVE Vulnerabilities

CVE-2024-2466

Improper Validation of Certificate with Host Mismatch

Published: Mar 27, 2024 | Modified: Jul 30, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

Weakness

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Affected Software

NameVendorStart VersionEnd Version
CurlHaxx8.5.0 (including)8.7.0 (excluding)
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-curl-0:8.7.1-2.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-httpd-0:2.4.57-10.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs*
JBoss Core Services for RHEL 8RedHatjbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-curl-0:8.7.1-2.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-httpd-0:2.4.57-10.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs*
JBoss Core Services on RHEL 7RedHatjbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs*
Text-Only JBCSRedHatjbcs-httpd24-curl*
CurlUbuntuupstream*

Extended Description

Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. In order to ensure data integrity, the certificate must be valid, and it must pertain to the site that is being accessed. Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name.

Potential Mitigations

References