Lucene search

[email protected]CVE-2023-28320

HistoryMay 26, 2023 - 9:15 p.m.

CVE-2023-28320

2023-05-2621:15:15

CWE-400

CWE-362

[email protected]

web.nvd.nist.gov

curl

denial of service

vulnerability

cve-2023-28320

nvd

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.0%

JSON

A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.

Affected configurations

NVD

Node

haxxcurlRange<8.1.0

Node

applemacosRange11.0–11.7.9

applemacosRange12.0–12.6.8

applemacosRange13.0–13.5

Node

netappclustered_data_ontapMatch-

netappontap_antivirus_connectorMatch-

Node

netapph300s_firmwareMatch-

AND

netapph300sMatch-

Node

netapph500s_firmwareMatch-

AND

netapph500sMatch-

Node

netapph700s_firmwareMatch-

AND

netapph700sMatch-

Node

netapph410s_firmwareMatch-

AND

netapph410sMatch-

CPENameOperatorVersion
haxx:curlhaxx curllt8.1.0

CPE	Name	Operator	Version
haxx:curl	haxx curl	lt	8.1.0

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "https://github.com/curl/curl",
    "versions": [
      {
        "version": "Fixed in 8.1.0",
        "status": "affected"
      }
    ]
  }
]