CVE-2024-9681: 
MySQL vulnerability analysis and mitigation

CVE-2024-9681 affects curl versions 7.74.0 to 8.10.1, discovered on October 7, 2024, and publicly disclosed on November 6, 2024. The vulnerability occurs when curl is configured to use HSTS (HTTP Strict Transport Security), where the expiry time for a subdomain might incorrectly overwrite a parent domain's cache entry, causing it to end sooner or later than intended (Curl Advisory).

The vulnerability affects applications that enable HSTS and use URLs with the insecure HTTP scheme, particularly when performing transfers with hosts like x.example.com and example.com where one is a subdomain of the other. When x.example.com responds with Strict-Transport-Security headers, the subdomain's expiry timeout can incorrectly overwrite the parent domain example.com's entry in curl's HSTS cache. The issue has been assigned a CVSS 3.1 base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L (NVD).

The vulnerability can result in HTTP accesses to example.com being converted to HTTPS for a different period than intended by the origin server. This can lead to either failed access attempts if HTTPS is no longer supported at the expiry time, or premature fallback to insecure HTTP. The impact is considered a potential minor DoS security problem or unintended cleartext transmission of data (Curl Advisory).

Three recommended actions have been provided in order of preference: 1) Upgrade curl and libcurl to version 8.11.0, 2) Apply the patch to the existing version and rebuild, or 3) Avoid relying on HSTS. A fix has been implemented in curl version 8.11.0, released on November 6, 2024 (Curl Advisory).