AZL-37078

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37078.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-37078

Upstream

CVE-2024-2398

Published

2024-03-27T08:15:41Z

Modified

2026-04-01T05:12:25.706245Z

Summary

CVE-2024-2398 affecting package curl for versions less than 8.8.0-1

Details

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-2398

Affected packages

Azure Linux:2 / curl

Package

Name: curl
Purl: pkg:rpm/azure-linux/curl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.8.0-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37078.json"