CVE-2023-38545
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
18/10/2023
Last modified:
13/02/2025
Description
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy<br />
handshake.<br />
<br />
When curl is asked to pass along the host name to the SOCKS5 proxy to allow<br />
that to resolve the address instead of it getting done by curl itself, the<br />
maximum length that host name can be is 255 bytes.<br />
<br />
If the host name is detected to be longer, curl switches to local name<br />
resolving and instead passes on the resolved address only. Due to this bug,<br />
the local variable that means "let the host resolve the name" could get the<br />
wrong value during a slow SOCKS5 handshake, and contrary to the intention,<br />
copy the too long host name to the target buffer instead of copying just the<br />
resolved address there.<br />
<br />
The target buffer being a heap based buffer, and the host name coming from the<br />
URL that curl has been told to operate with.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* | 7.69.0 (including) | 8.4.0 (excluding) |
| cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* | ||
| cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* | 10.0.17763.5122 (excluding) | |
| cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* | 10.0.19044.3693 (excluding) | |
| cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* | 10.0.19045.3693 (excluding) | |
| cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:* | 10.0.22000.2600 (excluding) | |
| cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:* | 10.0.22621.2715 (excluding) | |
| cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* | 10.0.22631.2715 (excluding) | |
| cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* | 10.0.17763.5122 (excluding) | |
| cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* | 10.0.20348.2113 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://seclists.org/fulldisclosure/2024/Jan/34
- http://seclists.org/fulldisclosure/2024/Jan/37
- http://seclists.org/fulldisclosure/2024/Jan/38
- https://curl.se/docs/CVE-2023-38545.html
- https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/
- https://security.netapp.com/advisory/ntap-20231027-0009/
- https://security.netapp.com/advisory/ntap-20240201-0005/
- https://support.apple.com/kb/HT214036
- https://support.apple.com/kb/HT214057
- https://support.apple.com/kb/HT214058
- https://support.apple.com/kb/HT214063
- https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/
- http://seclists.org/fulldisclosure/2024/Jan/34
- http://seclists.org/fulldisclosure/2024/Jan/37
- http://seclists.org/fulldisclosure/2024/Jan/38
- https://curl.se/docs/CVE-2023-38545.html
- https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/
- https://security.netapp.com/advisory/ntap-20231027-0009/
- https://security.netapp.com/advisory/ntap-20240201-0005/
- https://support.apple.com/kb/HT214036
- https://support.apple.com/kb/HT214057
- https://support.apple.com/kb/HT214058
- https://support.apple.com/kb/HT214063
- https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/
- https://github.com/UTsweetyfish/CVE-2023-38545
- https://github.com/bcdannyboy/CVE-2023-38545
- https://github.com/dbrugman/CVE-2023-38545-POC