Description

libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.

INFO

Published Date :

2024-07-31T08:08:14.585Z

Last Modified :

2025-11-03T22:32:51.400Z

Source :

curl
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7264 vulnerability.

Vendors Products
Haxx
  • Libcurl
Redhat
  • Enterprise Linux
  • Service Mesh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7264.

URL Resource
http://www.openwall.com/lists/oss-security/2024/07/31/1 cve-icon cve-icon
https://curl.se/docs/CVE-2024-7264.html cve-icon cve-icon
https://curl.se/docs/CVE-2024-7264.json cve-icon cve-icon
https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519 cve-icon
https://hackerone.com/reports/2629968 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-7264 cve-icon
https://security.netapp.com/advisory/ntap-20240828-0008/ cve-icon
https://security.netapp.com/advisory/ntap-20241025-0006/ cve-icon
https://security.netapp.com/advisory/ntap-20241025-0010/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-7264 cve-icon
https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixMSQL cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact