- Advisory ID: CV_2024_08_2
- Severity: MEDIUM
- Issued: 2024-08-26
- Updated: 2024-09-16
- CVSS Score Range: 6.5
- Additional Links:
CVE_2024_7264 indicates that a security vulnerability was exposed when using the following modules in curl package:
GnuTLS since 7.42.0
Schannel since 7.50.0
Secure Transport since 7.79.0
mbedTLS since 8.9.0
Commvault products do not use any of these modules and are not affected by this vulnerability.
Impacted Products
This vulnerability does not affect Commvault products.
Resolution
Commvault product uses OpenSSL which is not affected by this vulnerability.
CVE Details
Info | Description |
---|---|
| libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. |