CV_2024_08

Advisory ID: CV_2024_08_2
Issued: 2024-08-26
Updated: 2024-09-16
Additional Links:
- CVE-2024-7264

CVE_2024_7264 indicates that a security vulnerability was exposed when using the following modules in curl package:

GnuTLS since 7.42.0
Schannel since 7.50.0
Secure Transport since 7.79.0
mbedTLS since 8.9.0

Commvault products do not use any of these modules and are not affected by this vulnerability.

Impacted Products

This vulnerability does not affect Commvault products.

Resolution

Commvault product uses OpenSSL which is not affected by this vulnerability.

CVE Details

Info	Description
CVE ID: CVE-2024-7264 CVSS Score: 6.5 External link	libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.

Info

Description

CVE ID: CVE-2024-7264
CVSS Score: 6.5
External link

libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.

Documentation

https://documentation.commvault.com

< Back

Security Advisories

CV_2024_08_2: Curl advisory NO IMPACT

Impacted Products

Resolution

CVE Details

Documentation