CVE-2024-2004: 
MySQL vulnerability analysis and mitigation

CVE-2024-2004 is a vulnerability in curl versions 7.85.0 to 8.6.0, discovered in February 2024. The flaw occurs when a protocol selection parameter option disables all protocols without adding any, causing the default set of protocols to remain in the allowed set due to an error in the logic for removing protocols. This vulnerability was fixed in curl version 8.7.0, released on March 27, 2024 (Curl Advisory).

The vulnerability manifests when using the --proto option to disable protocols. For example, the command 'curl --proto -all,-http http://curl.se' would perform a request using a plaintext protocol that was explicitly disabled. The flaw is only present if the set of selected protocols disables the entire set of available protocols. The issue was addressed in curl 8.7.0 by clearing the set of allowed protocols before inspecting the set of disabled protocols, ensuring all protocols remain disabled in the error path (Curl Advisory).

The curl security team has assessed this as a low severity bug due to its limited practical impact. The vulnerability requires a specific command configuration that has no practical use and is unlikely to be encountered in real situations (Curl Advisory).

The recommended mitigations include: 1) Upgrading curl to version 8.7.0 or later, 2) Applying the patch to local versions, and 3) Inspecting any scripts which construct curl commands with --proto options to ensure there is at least one allowed protocol (Curl Advisory).

Multiple vendors have acknowledged and addressed this vulnerability in their products, including Apple in their macOS updates and NetApp in their product security advisory (Apple Security, NetApp Advisory).