- 260/2023
- High
Write here cURL has released a security update to address vulnerabilities across libcurl and cURL versions before 8.4.0.
The addressed vulnerabilities could allow the remote attacker to execute arbitrary code and bypass security restrictions on the affected products due to a flaw in the curl_easy_duphandle function and a heap-based buffer overflow caused by the improper handling of hostnames longer than 255 bytes during a slow SOCKS5 proxy handshake.
Sample of the addressed vulnerabilities:
Libcurl and cURL Buffer Overflow Vulnerability (CVE-2023-38545):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
Vulnerabilities
- CVE-2023-38545
- CVE-2023-38546
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed and should check with its vendors for updates if any. Below is a sample of the vendors’ fixes: