CVE-2023-27538 – curl: SSH connection too eager reuse still
https://notcve.org/view.php?id=CVE-2023-27538
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. • https://hackerone.com/reports/1898475 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 https://access.redhat.com/security/cve/CVE-2023-27538 https://bugzilla.redhat.com/show_bug.cgi?id=2179103 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVE-2023-27533 – curl: TELNET option IAC injection
https://notcve.org/view.php?id=CVE-2023-27533
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. • https://hackerone.com/reports/1891474 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0011 https://access.redhat.com/security/cve/CVE-2023-27533 https://bugzilla.redhat.com/show_bug.cgi?id=2179062 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVE-2023-23915 – curl: HSTS amnesia with --parallel
https://notcve.org/view.php?id=CVE-2023-23915
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. A flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer. • https://hackerone.com/reports/1826048 https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230309-0006 https://access.redhat.com/security/cve/CVE-2023-23915 https://bugzilla.redhat.com/show_bug.cgi?id=2167813 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2023-23914 – curl: HSTS ignored on multiple requests
https://notcve.org/view.php?id=CVE-2023-23914
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. A flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity. • https://hackerone.com/reports/1813864 https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230309-0006 https://access.redhat.com/security/cve/CVE-2023-23914 https://bugzilla.redhat.com/show_bug.cgi?id=2167797 • CWE-319: Cleartext Transmission of Sensitive Information •
CVE-2022-1292 – The c_rehash script allows command injection
https://notcve.org/view.php?id=CVE-2022-1292
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). • https://github.com/alcaparra/CVE-2022-1292 https://github.com/li8u99/CVE-2022-1292 https://github.com/greek0x0/CVE-2022-1292 https://github.com/rama291041610/CVE-2022-1292 https://github.com/und3sc0n0c1d0/CVE-2022-1292 https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2 https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb https://git • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •