CVE-2024-9681

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.10.1

Description The issue is related to the implementation of the HSTS (HTTP Strict Transport Security) mechanism in the curl utility. When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host. The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Recommendations To resolve the issue, update curl to version 8.10.1 or later. As a temporary workaround, consider restricting the influence of subdomains on the HSTS cache of parent domains to minimize the risk of exploitation. Avoid using the HTTP:// scheme for transfers with hosts that have subdomains, and instead use the HTTPS:// scheme to ensure secure connections.