When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine.
If the returned status reports another error than "revoked" (like for example "unauthorized") it is not treated as a bad certificate.
{ "last_affected": "8.9.1", "package": "curl", "issue": "https://hackerone.com/reports/2669852", "award": { "currency": "USD", "amount": "2540" }, "URL": "https://curl.se/docs/CVE-2024-8096.json", "severity": "Medium", "www": "https://curl.se/docs/CVE-2024-8096.html", "CWE": { "desc": "Improper Certificate Validation", "id": "CWE-295" }, "affects": "both" }
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Function", "source": "https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f", "signature_version": "v1", "target": { "file": "lib/vtls/gtls.c", "function": "Curl_gtls_verifyserver" }, "digest": { "function_hash": "240788416469107111537004525007068725322", "length": 9318.0 }, "id": "CURL-CVE-2024-8096-486f8565" }, { "deprecated": false, "signature_type": "Line", "source": "https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f", "signature_version": "v1", "target": { "file": "lib/vtls/gtls.c" }, "digest": { "threshold": 0.9, "line_hashes": [ "303117184947371648792287720611573599118", "209946621648742505282756681371815696822", "195591179407284657172564313670975308623", "58328545754894194640591627435341655549", "95852057744293436852001373831703156195", "103394213132727310856852927951854566748", "265721200941466069487320513987856136607", "41726117843492183422027861814872071364", "93634130137749873784555808535060409648", "36496307838867237812167335780157981804", "303844972261704133370078214546791099517", "57544969043197931985774335346816809235", "17443935767711712262649956180927625143", "20109761154480960718460861733647033934", "254935086391607542514916564041298854852", "148269691299838833912186189299672587512", "259140078773706719993079486444571716333", "203181427056380040823533688450215684990", "47846369047818349017433408976724459051", "44854094618002595715182905123762901579", "312607733140109101913732261544273906056", "82703385633838250685135480737551663542", "228626524780139345350987357133924705522", "203181427056380040823533688450215684990", "80550658282220164429355629002100639109", "281327666176597866186361204568484048606", "191541904504918446144214037030147982793", "125103390510382766955997894677199713617", "260554357988199540263737723795941763094", "51013153307094541351030497341199171712", "102141001015462078839835304458210286502", "177997019633562104538978427639838293596", "193929651919615858575658013238139305612", "149926588059651429960438420690834169786", "283100006604064684128108550907612050120", "265689625694951369703406636569609049864", "187184063256316406878454923276034075034", "239425292115393199983444689712585190825", "276313841266331685073047625962559528790", "125669466248079838760771227798062833996", "339102750152923158942446647374771129529", "127395975702418494520108209120809922850", "43770406347483928085718112032439592744", "327659262120512568344171665143917071012", "120466021912215999623476059726350455246", "272786504616296406921824660943653120038", "52491747266315605936408463216198803780", "26126299607406525187548261507401676668", "291577339880273662000775822736560720017", "259616369283920951072325679322188303090", "226042970205782793379263274643633089194", "92942956495767865323894852428637394263", "178144389214233096537729542793578703439", "294571860271041379193214312423135354510", "289018515318230143023015659699561767394", "18160697337673836785113654535079232469", "211928128971544311528271404631029382062", "281846703668675072436134810393552302359", "60538710630836866295679039879265890422", "216834106973258000191699976465544991138", "289531348347477374609171095856678128318", "30690057042575772555072697040419173143", "220778866905613532973818531948211751499", "319504175873325593195405319580300611012", "38222949992890941852590702405023012522", "322744630424715530993550610748154172913", "264581629138938009987548611517325837027", "43754896390189873076651383918988819886", "321406363132245855614712275813059961371", "275327300807653865996223000837748693968", "43025168033754054695641767280077062912", "197534042954744831965324262027666772592", "179472844240100665577428080087573288249", "294586968689328130003269244932619652262", "33713397027158062049495689690895931117", "203585396085000052671222351349104537035", "312145221287237065140509195645921649518", "327123428392919230846603042839908051814", "263674154252261821814350730511324913570", "139029705847748754469162768785573836257" ] }, "id": "CURL-CVE-2024-8096-58d2d761" }, { "deprecated": false, "signature_type": "Function", "source": "https://github.com/curl/curl.git/commit/aeb1a281cab13c7ba791cb104e556b20e713941f", "signature_version": "v1", "target": { "file": "lib/vtls/gtls.c", "function": "gtls_client_init" }, "digest": { "function_hash": "297140625402079151609682920819686662593", "length": 4882.0 }, "id": "CURL-CVE-2024-8096-7035e3bd" } ] }