CVE-2024-2466

ADVISORY - nist

Summary

libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).

EPSS Score⁠: 0.00149 (0.359)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-297⁠

Improper Validation of Certificate with Host Mismatch

ADVISORY - redhat

CWE-297⁠

Improper Validation of Certificate with Host Mismatch

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.