NVD Vulnerability Detail

CVE-2024-2398

Summary	When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.
Publication Date	March 27, 2024, 5:15 p.m.
Registration Date	March 27, 2024, 8 p.m.
Last Update	Nov. 21, 2024, 6:09 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	http://seclists.org/fulldisclosure/2024/Jul/18
2	http://seclists.org/fulldisclosure/2024/Jul/18
3	http://seclists.org/fulldisclosure/2024/Jul/19
4	http://seclists.org/fulldisclosure/2024/Jul/19
5	http://seclists.org/fulldisclosure/2024/Jul/20
6	http://seclists.org/fulldisclosure/2024/Jul/20
7	http://www.openwall.com/lists/oss-security/2024/03/27/3
8	http://www.openwall.com/lists/oss-security/2024/03/27/3
9	https://curl.se/docs/CVE-2024-2398.html
10	https://curl.se/docs/CVE-2024-2398.html
11	https://curl.se/docs/CVE-2024-2398.json
12	https://curl.se/docs/CVE-2024-2398.json
13	https://hackerone.com/reports/2402845
14	https://hackerone.com/reports/2402845
15	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
16	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
17	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
18	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
19	https://security.netapp.com/advisory/ntap-20240503-0009/
20	https://security.netapp.com/advisory/ntap-20240503-0009/
21	https://support.apple.com/kb/HT214118
22	https://support.apple.com/kb/HT214118
23	https://support.apple.com/kb/HT214119
24	https://support.apple.com/kb/HT214119
25	https://support.apple.com/kb/HT214120
26	https://support.apple.com/kb/HT214120

Common Vulnerabilities List

JVN Vulnerability Information

Haxx の cURL 等複数ベンダの製品における有効なライフタイム後のリソースの解放の欠如に関する脆弱性

Title	Haxx の cURL 等複数ベンダの製品における有効なライフタイム後のリソースの解放の欠如に関する脆弱性
Summary	Haxx の cURL 等複数ベンダの製品には、有効なライフタイム後のリソースの解放の欠如に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 27, 2024, midnight
Registration Date	Aug. 1, 2025, 2:04 p.m.
Last Update	Aug. 1, 2025, 2:04 p.m.

Affected System

アップル

macOS 12.7.6 未満

macOS 13.0 以上 13.6.8 未満

macOS 14.0 以上 14.6 未満

Fedora Project

Fedora 39

Fedora 40

Haxx

cURL 7.44.0 以上 8.7.0 未満

NetApp

Active IQ Unified Manager

Bootstrap OS

brocade fabric operating system

H300S ファームウェア

H410S ファームウェア

H500S ファームウェア

H610C ファームウェア

H610S ファームウェア

H615C ファームウェア

H700S ファームウェア

ONTAP Select Deploy administration utility

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-2398	https://www.cve.org/CVERecord?id=CVE-2024-2398
cURL
2	CVE-2024-2398	https://curl.se/docs/CVE-2024-2398.html
National Vulnerability Database (NVD)
3	CVE-2024-2398	https://nvd.nist.gov/vuln/detail/CVE-2024-2398

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-772	https://cwe.mitre.org/data/definitions/772.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT214118	https://support.apple.com/en-us/HT214118
2	HT214119	https://support.apple.com/en-us/HT214119
3	HT214120	https://support.apple.com/en-us/HT214120
Apple セキュリティアップデート
4	HT214118	https://support.apple.com/ja-jp/HT214118
5	HT214119	https://support.apple.com/ja-jp/HT214119
6	HT214120	https://support.apple.com/ja-jp/HT214120
cURL
7	CURL-CVE-2024-2398	https://curl.se/docs/CVE-2024-2398.json
Fedora Update Notification
8	FEDORA-2024-6dab59bd47	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/
9	FEDORA-2024-a09456b7a9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/
NetApp Advisory
10	NTAP-20240503-0009	https://security.netapp.com/advisory/ntap-20240503-0009/

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-24-256-10	https://www.cisa.gov/news-events/ics-advisories/icsa-24-256-10
2	ICSA-24-319-04	https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-04
3	ICSA-24-319-16	https://www.cisa.gov/news-events/ics-advisories/icsa-24-319-16
JVN
4	JVNVU#90825867	https://jvn.jp/vu/JVNVU90825867/
5	JVNVU#96191615	https://jvn.jp/vu/JVNVU96191615/
6	JVNVU#98006842	https://jvn.jp/vu/JVNVU98006842/
関連文書
7	hackerone.com (reports/2402845)	https://hackerone.com/reports/2402845
8	seclists.org (Jul/18)	http://seclists.org/fulldisclosure/2024/Jul/18
9	seclists.org (Jul/19)	http://seclists.org/fulldisclosure/2024/Jul/19
10	seclists.org (Jul/20)	http://seclists.org/fulldisclosure/2024/Jul/20
11	www.openwall.com (oss-security/2024/03/27/3)	http://www.openwall.com/lists/oss-security/2024/03/27/3

Change Log

No	Changed Details	Date of change
1	[2025年07月31日] 掲載	July 31, 2025, 10:22 a.m.