CVE-2023-27537
https://notcve.org/view.php?id=CVE-2023-27537
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. • https://hackerone.com/reports/1897203 https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 • CWE-415: Double Free •
CVE-2023-27534 – curl: SFTP path ~ resolving discrepancy
https://notcve.org/view.php?id=CVE-2023-27534
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. • https://hackerone.com/reports/1892351 https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0012 https://access.redhat.com/security/cve/CVE-2023-27534 https://bugzilla.redhat.com/show_bug.cgi?id=2179069 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-27538 – curl: SSH connection too eager reuse still
https://notcve.org/view.php?id=CVE-2023-27538
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. • https://hackerone.com/reports/1898475 https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230420-0010 https://access.redhat.com/security/cve/CVE-2023-27538 https://bugzilla.redhat.com/show_bug.cgi?id=2179103 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness •
CVE-2023-28531
https://notcve.org/view.php?id=CVE-2023-28531
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT https://security.gentoo.org/glsa/202307-01 https://security.netapp.com/advisory/ntap-20230413-0008 https://www.debian.org/security/2023/dsa-5586 https://www.openwall.com/lists/oss-security/2023/03/15/8 •
CVE-2021-4197 – kernel: cgroup: Use open-time creds and namespace for migration perm checks
https://notcve.org/view.php?id=CVE-2021-4197
An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. Se encontró un fallo de escritura no privilegiado en el manejador de archivos en el subsistema de grupos de control y espacios de nombres del kernel de Linux en la forma en que los usuarios presentan acceso a algunos procesos menos privilegiados que son controlados por cgroups y presentan procesos padres con mayores privilegios. En realidad se trata de las versiones cgroup2 y cgroup1 de los grupos de control. • https://bugzilla.redhat.com/show_bug.cgi?id=2035652 https://lore.kernel.org/lkml/20211209214707.805617-1-tj%40kernel.org/T https://security.netapp.com/advisory/ntap-20220602-0006 https://www.debian.org/security/2022/dsa-5127 https://www.debian.org/security/2022/dsa-5173 https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-4197 • CWE-287: Improper Authentication •