Security News > 2023 > October > curl vulnerabilities ironed out with patches after week-long tease
Described by curl project founder and lead developer Daniel Stenberg as "Probably the worst curl security flaw in a long time," the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of "High." Possible outcomes of such issues include the corruption of data and, in the worst cases, the execution of arbitrary code.
Curl said the vulnerability could most likely be exploited without the need for a denial of service attack or for the baddies to get SOCKS server control since a server's typical latency is slow enough.
The curl tool's default configuration protects against the vulnerability by default, but applications that depend on libcurl may need to make changes.
The curl project's advisory says the likelihood that an attacker could meet the series of conditions required to trigger the vulnerability is low, and adds that even if they did, the risk of a cookie injection attack to the safety of a user is also low.
Users are advised to upgrade to curl 8.4.0 and call curl easy setopt(cloned curl, CURLOPT COOKIELIST, "ALL"); after every call to curl easy duphandle();.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-10-18 | CVE-2023-38546 | Unspecified vulnerability in Haxx Libcurl This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. | 3.7 |
2023-10-18 | CVE-2023-38545 | Out-of-bounds Write vulnerability in multiple products This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. | 9.8 |