curl vulnerabilities

2023-07-1912:11:55

Google

osv.dev

hiroki kurosawa

certificate wildcard validation

callbacks handling

information disclosure

denial of service

cookie saving issue

local attacker

ubuntu 22.10

ubuntu 23.04

curl

cve-2023-28321

cve-2023-28322

cve-2023-32001

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

7.2 High

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

56.6%

JSON

Hiroki Kurosawa discovered that curl incorrectly handled validating certain
certificate wildcards. A remote attacker could possibly use this issue to
spoof certain website certificates using IDN hosts. (CVE-2023-28321)

Hiroki Kurosawa discovered that curl incorrectly handled callbacks when
certain options are set by applications. This could cause applications
using curl to misbehave, resulting in information disclosure, or a denial
of service. (CVE-2023-28322)

It was discovered that curl incorrectly handled saving cookies to files. A
local attacker could possibly use this issue to create or overwrite files.
This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)