- Digital twins are optimizing supply chains and more. Here's why enterprises should care
- Getting Out in Front of Post-Quantum Threats with Crypto Agility
- Join Sam's Club for $15 - the lowest price we've seen. Here's how
- Meta's new $299 Quest 3S is the VR headset most people should buy this holiday season
- Get Microsoft Office 2019 for Windows or Mac for $25
CVE-2023-38545, CVE-2023-38546: Frequently Asked Questions for New Vulnerabilities in curl
Frequently asked questions relating to two vulnerabilities patched in curl version 8.4.0
Background
On October 3, Daniel Stenberg, an open-source developer and maintainer of curl, took to X (formerly Twitter) to announce that a new high severity CVE would be fixed in curl 8.4.0. Daniel noted that the release would be ahead of schedule and released on October 11, indicating in a reply to the twitter thread that this is “the worst security problem found in curl in a long time.”
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
— daniel:// stenberg:// (@bagder) October 3, 2023
FAQ
What is curl and libcurl?
Client for URL (or “curl”) is a command line tool (CLI) used to transfer files to and from servers. curl can make use of a variety of protocols and is backed by the libcurl library which provides multiple APIs and support for a multitude of network bindings. curl is widely used by system administrators and developers.
What is the difference between curl and libcurl?
libcurl is a development library (shortened to “lib”) that allows other programs to use the curl tool, where as “curl” is the cli tool or frontend that is ran from a script or a shell prompt. Stenberg’s post offers a great summary on the differences between these two.
What vulnerabilities were fixed in curl 8.4.0?
As of October 4, no details are currently available for the vulnerabilities that have been fixed in curl 8.4.0 and we do not anticipate those details will be available until October 11. However a discussion post on the GitHub repository for the curl project does provide us with some basic information as shown in the table below:
| CVE | Description | Severity | Affects |
|---|---|---|---|
| CVE-2023-38545 | Unknown | High | libcurl and curl |
| CVE-2023-38546 | Unknown | Low | libcurl |
When will patches be available?
According to the GitHub discussion post and the Twitter announcement, curl version 8.4.0 will be released on October 11 to address both vulnerabilities.
Have either of these CVE’s been exploited in the wild?
As of October 4, we do not have any information as to whether or not these vulnerabilities have been exploited in the wild.
How widely used is curl?
curl is one of the most widely used open source projects, as it is in use in a variety of applications and devices worldwide. It is deployed with Windows from Windows 10 and later as well as many Linux distributions.
Identifying affected systems
Once curl 8.4.0 has been released on October 11, plugins will be developed and released to address both CVEs. In the meantime, we recommend visiting the Plugins Pipeline for information on upcoming plugin releases.
In the meantime, customers can utilize Plugin ID 171860 to identify curl installations on Windows hosts.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
