CVE-2024-32928

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

T

he libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through.

References

Link	Resource
https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy=	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:google:nest_mini_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:google:nest_mini:-:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:haxx:libcurl:-:*:*:*:*:*:*:*

History

14 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE		CWE-295

20 Aug 2024, 16:13

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9
Summary		(es) La opción libcurl CURLOPT_SSL_VERIFYPEER se deshabilitó en un subconjunto de solicitudes realizadas por dispositivos de producción Nest, lo que permitió un posible ataque de intermediario en solicitudes a los servicios en la nube de Google por parte de cualquier host por el que se enrutara el tráfico.
First Time		Haxx libcurl Google nest Mini Google Google nest Mini Firmware Haxx
References	~~() https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy= -~~	() https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy= - Vendor Advisory
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:o:google:nest_mini_firmware:-:::::::* cpe:2.3:a:haxx:libcurl:-:::::::* cpe:2.3:h:google:nest_mini:-:::::::*

19 Aug 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 17:15

Updated : 2025-03-14 16:15

NVD link : CVE-2024-32928

Mitre link : CVE-2024-32928

CVE.ORG link : CVE-2024-32928

JSON object : View

Products Affected

libcurl

CWE

NVD-CWE-noinfo CWE-295

Improper Certificate Validation

{"id": "CVE-2024-32928", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-08-19T17:15:07.557", "references": [{"url": "https://support.google.com/product-documentation/answer/14771247?hl=en&ref_topic=12974021&sjid=9111851316942032590-NA#zippy=", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices which enabled a potential man-in-the-middle attack on requests to Google cloud services by any host the traffic was routed through."}, {"lang": "es", "value": "La opci\u00f3n libcurl CURLOPT_SSL_VERIFYPEER se deshabilit\u00f3 en un subconjunto de solicitudes realizadas por dispositivos de producci\u00f3n Nest, lo que permiti\u00f3 un posible ataque de intermediario en solicitudes a los servicios en la nube de Google por parte de cualquier host por el que se enrutara el tr\u00e1fico."}], "lastModified": "2025-03-14T16:15:31.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:nest_mini_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDFD7974-8108-4FBD-A70C-3EBE70EC8A4E"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:google:nest_mini:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4D380EB7-288F-420B-A971-CBDF91AEE8BF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D43957B-3D81-4334-9C2C-819F8B322FC7"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}