6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7264

GHSA ID

GHSA-97c4-2w4v-c7r8

EPSS Score

0.84917%

CWE

CWE-125

Published

7/31/2024

Updated

8/12/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-7264

CVE-2024-7264: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized...

libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-7264

GHSA ID

GHSA-97c4-2w4v-c7r8

EPSS Score

0.84917%

CWE

CWE-125

Published

7/31/2024

Updated

8/12/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the GTime2str() function in lib/vtls/x509asn1.c.

The commit 3c914bc680155b32178f1f15ca8d47c7f4640afe introduced a flaw in how the fracl (fractional seconds length) variable was calculated. Specifically, the line fracl = tzp - fracp - 1; could result in fracl being -1 if tzp == fracp (meaning no digits were found after the fractional seconds separator '.' or ','). This negative fracl value was then used in Curl_dyn_addf as a precision for a string, leading to strlen() being called on a non-null-terminated buffer, causing an out-of-bounds read.

The commit 27959ecce75cdb2809c0bdb3286e60e08fadb519 fixed this by changing the calculation to fracl = tzp - fracp; and ensuring fracl is not negative. It also correctly handles the timezone part of the string.

The function Curl_x509_GTime2str is a wrapper around GTime2str for unit testing purposes and is also affected by the same vulnerability.

The vulnerability was originally introduced in commit 3a24cb7bc456366cbc3a03f7ab6d2576105a1f2d when the GTime2str function was added.

Therefore, the vulnerable functions are GTime2str and Curl_x509_GTime2str.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li**url's *SN* p*rs*r *o** **s t** `*Tim**str()` *un*tion, us** *or p*rsin* *n *SN.* **n*r*liz** Tim* *i*l*. I* *iv*n *n synt**ti**lly in*orr**t *i*l*, t** p*rs*r mi**t *n* up usin* -* *or t** l*n*t* o* t** *tim* *r**tion*, l***in* to * `strl*n()` **

Reasoning

T** vuln*r**ility li*s in t** `*Tim**str()` *un*tion in `li*/vtls/x****sn*.*`. T** *ommit `****************************************` intro*u*** * *l*w in *ow t** `*r**l` (*r**tion*l s**on*s l*n*t*) v*ri**l* w*s **l*ul*t**. Sp**i*i**lly, t** lin* `*

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-7264: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized...

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI