- 퀄컴, 베트남 빈AI의 생성형 AI 부문 ‘모비안AI’ 인수··· AI 솔루션 고도화 박차
- 블로그 | 정치적 격동기에 IT 리더가 할 수 있는 역할
- 완전 자율 주행 자동차가 관광 산업에도 영향··· 웨이모, ‘2025 관광 영향 보고서’ 발간
- European cloud group invests to create what it dubs “Trump-proof cloud services”
- The OnePlus 12 is still a powerhouse in 2025 - and it's on sale for a limited time
Curl Releases Fixes For High-Severity Vulnerability
In a recent security alert, the team behind the popular open-source tool curl has announced the release of fixes for two vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
Today’s release marks a crucial step in addressing these security concerns. Curl, a command-line tool for data transfer supporting various network protocols, plays a vital role in countless applications, with over 20 billion installations worldwide. Its underlying library, libcurl, also serves as a backbone for web-aware applications, making it an essential component of the internet ecosystem.
The high-severity vulnerability, CVE-2023-38545, affects both curl and libcurl, potentially allowing a heap buffer overflow in the SOCKS5 proxy handshake. This flaw could be exploited under specific conditions and poses a significant security risk.
The low-severity CVE-2023-38546, on the other hand, pertains to a cookie injection issue within libcurl, offering attackers the ability to insert cookies into a running program.
“Attackers may integrate such vulnerabilities into automated tools, malware and bots, enabling automatic exploitation across various systems and applications,” explained Saeed Abbasi, manager of vulnerability and threat research at Qualys.
“While the exploitation involves using a slow SOCKS5 handshake and a specifically crafted URL, it’s conceivable that the technical barrier might not be excessively high for attackers with a certain level of expertise.”
The release of curl 8.4.0 aims to address these vulnerabilities, primarily focusing on CVE-2023-38545. This update ensures that curl no longer switches to local resolve mode if a hostname is too long, thus mitigating the risk of heap buffer overflows.
Abbasi wrote in the Qualys blog last week, recommending that organizations urgently inventory and scan their systems that use curl and libcurl to identify potentially vulnerable versions.
“Organizations must act swiftly to inventory, scan, and update all systems utilizing curl and libcurl,” he warned.
“In particular, the gravity of the high-severity vulnerability mandates immediate and cautious attention to safeguarding interconnected and web-aware applications, ensuring the rich data transfer functionality curl and libcurl provide remain unimpaired and secure.”
Now that patches for these flaws are available, companies should update promptly to secure their systems.
