- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
Curl Releases Fixes For High-Severity Vulnerability
In a recent security alert, the team behind the popular open-source tool curl has announced the release of fixes for two vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
Today’s release marks a crucial step in addressing these security concerns. Curl, a command-line tool for data transfer supporting various network protocols, plays a vital role in countless applications, with over 20 billion installations worldwide. Its underlying library, libcurl, also serves as a backbone for web-aware applications, making it an essential component of the internet ecosystem.
The high-severity vulnerability, CVE-2023-38545, affects both curl and libcurl, potentially allowing a heap buffer overflow in the SOCKS5 proxy handshake. This flaw could be exploited under specific conditions and poses a significant security risk.
The low-severity CVE-2023-38546, on the other hand, pertains to a cookie injection issue within libcurl, offering attackers the ability to insert cookies into a running program.
“Attackers may integrate such vulnerabilities into automated tools, malware and bots, enabling automatic exploitation across various systems and applications,” explained Saeed Abbasi, manager of vulnerability and threat research at Qualys.
“While the exploitation involves using a slow SOCKS5 handshake and a specifically crafted URL, it’s conceivable that the technical barrier might not be excessively high for attackers with a certain level of expertise.”
The release of curl 8.4.0 aims to address these vulnerabilities, primarily focusing on CVE-2023-38545. This update ensures that curl no longer switches to local resolve mode if a hostname is too long, thus mitigating the risk of heap buffer overflows.
Abbasi wrote in the Qualys blog last week, recommending that organizations urgently inventory and scan their systems that use curl and libcurl to identify potentially vulnerable versions.
“Organizations must act swiftly to inventory, scan, and update all systems utilizing curl and libcurl,” he warned.
“In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure.”
Now that patches for these flaws are available, companies should update promptly to secure their systems.