CVSS: 8.8EPSS: 0%CPEs: 15EXPL: 1CVE-2023-27533 – curl: TELNET option IAC injection
https://notcve.org/view.php?id=CVE-2023-27533
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. • https://hackerone.com/reports/1891474 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0011 https://access.redhat.com/security/cve/CVE-2023-27533 https://bugzilla.redhat.com/show_bug.cgi?id=2179062 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 8.8EPSS: 0%CPEs: 15EXPL: 1CVE-2023-27534 – curl: SFTP path ~ resolving discrepancy
https://notcve.org/view.php?id=CVE-2023-27534
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. • https://hackerone.com/reports/1892351 https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0012 https://access.redhat.com/security/cve/CVE-2023-27534 https://bugzilla.redhat.com/show_bug.cgi?id=2179069 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.7EPSS: 0%CPEs: 11EXPL: 0CVE-2023-26545 – kernel: mpls: double free on sysctl allocation failure
https://notcve.org/view.php?id=CVE-2023-26545
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device. A double-free flaw was found in the Linux kernel when the MPLS implementation handled sysctl allocation failures. This issue could allow a local user to cause a denial of service or possibly execute arbitrary code. • https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.13 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fda6c89fe3d9aca073495a664e1d5aea28cd4377 https://github.com/torvalds/linux/commit/fda6c89fe3d9aca073495a664e1d5aea28cd4377 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://security.netapp.com/advisory/ntap-20230316-0009 https://access.redhat.com/security/cve/CVE-2023-26545 • CWE-415: Double Free •
CVSS: 7.5EPSS: 0%CPEs: 22EXPL: 3CVE-2023-0045 – Incorrect indirect branch prediction barrier in the Linux Kernel
https://notcve.org/view.php?id=CVE-2023-0045
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall. The patch that added the support for the conditional mitigation via prctl (ib_prctl_set) dates back to the kernel 4.9.176. We recommend upgrading past commit a664ec9158eeddd75121d39c9a0758016097fa96 • https://github.com/ASkyeye/CVE-2023-0045 https://github.com/es0j/CVE-2023-0045 https://git.kernel.org/tip/a664ec9158eeddd75121d39c9a0758016097fa96 https://github.com/google/security-research/security/advisories/GHSA-9x5g-vmxf-4qj8 https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html https://security.netapp.com/advisory/ntap-20230714-0001 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 1CVE-2023-23916 – curl: HTTP multi-header compression denial of service
https://notcve.org/view.php?id=CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. • https://hackerone.com/reports/1826048 https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230309-0006 https://www.debian.org/security/2023/dsa-5365 https://access.redhat.com/security/cve/CVE-2023-23916 https://bugzilla.redhat.com/show_bug.cgi?id=2167815 • CWE-770: Allocation of Resources Without Limits or Throttling •