- Advisory ID: CV_2024_08_2
- Issued: 2024-08-26
- Updated: 2024-10-22
- Additional Links:
CVE_2024_7264 indicates that a security vulnerability was exposed when using the following modules in curl package:
GnuTLS since 7.42.0
Schannel since 7.50.0
Secure Transport since 7.79.0
mbedTLS since 8.9.0
Commvault products do not use any of these modules and are not affected by this vulnerability.
Impacted Products
This vulnerability does not affect Commvault products.
Resolution
The vulnerable code can only be reached when curl is built to use GnuTLS, Schannel, Secure Transport or mbedTLS. Builds using other TLS backends are not vulnerable to this method of attack. Commvault uses OpenSSL in the backend which is not affected by this vulnerability.
CVE Details
| Info | Description |
|---|---|
| libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. |