gsd-2023-38545
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy
handshake.
When curl is asked to pass along the host name to the SOCKS5 proxy to allow
that to resolve the address instead of it getting done by curl itself, the
maximum length that host name can be is 255 bytes.
If the host name is detected to be longer, curl switches to local name
resolving and instead passes on the resolved address only. Due to this bug,
the local variable that means "let the host resolve the name" could get the
wrong value during a slow SOCKS5 handshake, and contrary to the intention,
copy the too long host name to the target buffer instead of copying just the
resolved address there.
The target buffer being a heap based buffer, and the host name coming from the
URL that curl has been told to operate with.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2023-38545", "id": "GSD-2023-38545" }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2023-38545" ], "details": "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n", "id": "GSD-2023-38545", "modified": "2023-12-13T01:20:35.764001Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "support@hackerone.com", "ID": "CVE-2023-38545", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "curl", "version": { "version_data": [ { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "lessThan": "8.4.0", "status": "affected", "version": "8.4.0", "versionType": "semver" }, { "lessThan": "7.69.0", "status": "unaffected", "version": "7.69.0", "versionType": "semver" } ] } } ] } } ] }, "vendor_name": "curl" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://curl.se/docs/CVE-2023-38545.html", "refsource": "MISC", "url": "https://curl.se/docs/CVE-2023-38545.html" }, { "name": "https://security.netapp.com/advisory/ntap-20231027-0009/", "refsource": "MISC", "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/", "refsource": "MISC", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/" }, { "name": "https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/", "refsource": "MISC", "url": "https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/" }, { "name": "https://support.apple.com/kb/HT214036", "refsource": "MISC", "url": "https://support.apple.com/kb/HT214036" }, { "name": "https://support.apple.com/kb/HT214063", "refsource": "MISC", "url": "https://support.apple.com/kb/HT214063" }, { "name": "https://support.apple.com/kb/HT214057", "refsource": "MISC", "url": "https://support.apple.com/kb/HT214057" }, { "name": "https://support.apple.com/kb/HT214058", "refsource": "MISC", "url": "https://support.apple.com/kb/HT214058" }, { "name": "http://seclists.org/fulldisclosure/2024/Jan/34", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2024/Jan/34" }, { "name": "http://seclists.org/fulldisclosure/2024/Jan/37", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2024/Jan/37" }, { "name": "http://seclists.org/fulldisclosure/2024/Jan/38", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2024/Jan/38" }, { "name": "https://security.netapp.com/advisory/ntap-20240201-0005/", "refsource": "MISC", "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" } ] } }, "nvd.nist.gov": { "cve": { "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDB9B842-1D18-4026-B62C-EEBF6F97C908", "versionEndExcluding": "8.4.0", "versionStartIncluding": "7.69.0", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true }, { "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true }, { "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true }, { "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6B89EC5-12A3-457B-A297-B525FA447BA1", "versionEndExcluding": "10.0.17763.5122", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3286F3A-3F82-4433-AC77-F4907D3B1650", "versionEndExcluding": "10.0.19044.3693", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*", "matchCriteriaId": "85ABCA53-40C8-452B-8D2F-7AAF3624DCD4", "versionEndExcluding": "10.0.19045.3693", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BCCEFB5-50CD-4D8A-B4A8-16B357367487", "versionEndExcluding": "10.0.22000.2600", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*", "matchCriteriaId": "656DB244-CD92-4288-A4CD-76ED0492D65C", "versionEndExcluding": "10.0.22621.2715", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC26CE6D-0DFD-4642-A806-2A312888A451", "versionEndExcluding": "10.0.22631.2715", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*", "matchCriteriaId": "940B3D77-2D2E-41F3-8450-27AF8BB17F18", "versionEndExcluding": "10.0.17763.5122", "vulnerable": true }, { "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BB96325-BCC0-4C49-AF2A-A12C5CE1D818", "versionEndExcluding": "10.0.20348.2113", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy\nhandshake.\n\nWhen curl is asked to pass along the host name to the SOCKS5 proxy to allow\nthat to resolve the address instead of it getting done by curl itself, the\nmaximum length that host name can be is 255 bytes.\n\nIf the host name is detected to be longer, curl switches to local name\nresolving and instead passes on the resolved address only. Due to this bug,\nthe local variable that means \"let the host resolve the name\" could get the\nwrong value during a slow SOCKS5 handshake, and contrary to the intention,\ncopy the too long host name to the target buffer instead of copying just the\nresolved address there.\n\nThe target buffer being a heap based buffer, and the host name coming from the\nURL that curl has been told to operate with.\n" }, { "lang": "es", "value": "Esta falla hace que curl desborde un b\u00fafer basado en el protocolo de enlace del proxy SOCKS5. Cuando se le pide a curl que pase el nombre de host al proxy SOCKS5 para permitir que resuelva la direcci\u00f3n en lugar de que lo haga curl mismo, la longitud m\u00e1xima que puede tener el nombre de host es 255 bytes. Si se detecta que el nombre de host es m\u00e1s largo, curl cambia a la resoluci\u00f3n de nombres local y en su lugar pasa solo la direcci\u00f3n resuelta. Debido a este error, la variable local que significa \"dejar que el host resuelva el nombre\" podr\u00eda obtener el valor incorrecto durante un protocolo de enlace SOCKS5 lento y, contrariamente a la intenci\u00f3n, copiar el nombre del host demasiado largo al b\u00fafer de destino en lugar de copiar solo la direcci\u00f3n resuelta all\u00ed. El b\u00fafer de destino es un b\u00fafer basado en mont\u00f3n y el nombre de host proviene de la URL con la que se le ha dicho a curl que opere." } ], "id": "CVE-2023-38545", "lastModified": "2024-04-01T15:45:40.907", "metrics": { "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-10-18T04:15:11.077", "references": [ { "source": "support@hackerone.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://seclists.org/fulldisclosure/2024/Jan/34" }, { "source": "support@hackerone.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://seclists.org/fulldisclosure/2024/Jan/37" }, { "source": "support@hackerone.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "http://seclists.org/fulldisclosure/2024/Jan/38" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://curl.se/docs/CVE-2023-38545.html" }, { "source": "support@hackerone.com", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://security.netapp.com/advisory/ntap-20231027-0009/" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://security.netapp.com/advisory/ntap-20240201-0005/" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://support.apple.com/kb/HT214036" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://support.apple.com/kb/HT214057" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://support.apple.com/kb/HT214058" }, { "source": "support@hackerone.com", "tags": [ "Third Party Advisory" ], "url": "https://support.apple.com/kb/HT214063" }, { "source": "support@hackerone.com", "tags": [ "Patch", "Third Party Advisory" ], "url": "https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/" } ], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-787" } ], "source": "nvd@nist.gov", "type": "Primary" } ] } } } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.