On October 5, 2023, Daniel Stenberg, the maintainer of curl, issued an early warning about two security vulnerabilities in the widely used network data transfer tool. One of these vulnerabilities, CVE-2023-38545, is of HIGH severity and is described by Stenberg as 'probably the worst curl security flaw in a long time.'
curl, along with its library version, libcurl, are used extensively for network data transfer. The command-line tool, curl, and the library, libcurl, support a multitude of protocols including HTTP, HTTPS, FTP, FTPS, SFTP, SCP, TFTP, among others. Their popularity extends to numerous individuals and organizations, with curl being a standard inclusion in most Linux distributions and being installable on macOS and Windows. libcurl, on the other hand, is incorporated into various software applications such as web browsers, download managers, and file transfer clients.
The new curl version 8.4.0, which will address these vulnerabilities, along with details about the two CVEs, is scheduled for publication at 06:00 UTC on October 11, 2023. The potential widespread impact of the libcurl vulnerability is of particular concern. While every application using libcurl could potentially be affected, the exact conditions for triggering the vulnerability are unclear at this point. Stenberg acknowledges the difficulty in identifying specific vulnerable libcurl users at this time.
The HIGH severity vulnerability, CVE-2023-38545, affects both libcurl and the curl tool. However, it's important to stress that not all users will be impacted by this vulnerability. The other vulnerability, CVE-2023-38546, is of LOW severity and only affects libcurl, not the curl tool. Despite being less severe than CVE-2023-38545, it's still crucial to be aware of it. The most effective way to guard against these vulnerabilities is to upgrade to curl version 8.4.0 as soon as it becomes available.