{ "threat_severity" : "Low", "public_date" : "2024-03-27T00:00:00Z", "bugzilla" : { "description" : "curl: QUIC certificate check bypass with wolfSSL", "id" : "2270499", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2270499" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-295", "details" : [ "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.", "A flaw was found in curl. When libcurl is built to use wolfSSL as the TLS backend, it skips certificate verification for a QUIC connection if an unknown/bad cipher or curve is used." ], "statement" : "The curl package as shipped by Red Hat Enterprise Linux and RHSCL is not affected by this vulnerability because it does not have support for wolfSSL.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-curl-0:8.7.1-2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.57-10.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:8.7.1-2.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.57-10.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2693", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs" }, { "product_name" : "Text-Only JBCS", "release_date" : "2024-05-07T00:00:00Z", "advisory" : "RHSA-2024:2694", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "jbcs-httpd24-curl" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "httpd24-curl", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-2379\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2379\nhttps://curl.se/docs/CVE-2024-2379.html" ], "name" : "CVE-2024-2379", "csaw" : false }