CVE-2023-38545

CVE Details

Release Date:2023-10-11
Impact:Important What is this?

Description


This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means \let

See more information about CVE-2023-38545 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 7.5
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 9 (curl)ELSA-2023-57632023-10-18
Oracle Linux version 9 (curl)ELSA-2023-67452023-11-16


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete