First published: Thu Mar 16 2023(Updated: )
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
IBM Rational DOORS Web Access | <=9.7.2.7 | |
redhat/curl | <8.0.0 | 8.0.0 |
Curl | >=7.18.0<=7.88.1 | |
Red Hat Fedora | =36 | |
NetApp Active IQ Unified Manager for VMware vSphere | ||
Brocade Fabric Operating System | ||
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
NetApp H700S | ||
NetApp H700S | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
All of | ||
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
All of | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
All of | ||
NetApp H700S | ||
NetApp H700S | ||
All of | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-27534 is high with a severity value of 8.8.
The path traversal vulnerability in CVE-2023-27534 allows attackers to wrongly replace the tilde (~) character when used as a prefix in the first path element, causing potential unauthorized access to files outside the intended directory.
The curl versions prior to 8.0.0 and between 7.18.0 and 7.88.1 are affected by CVE-2023-27534.
To fix the path traversal vulnerability in curl <8.0.0, you should update curl to version 8.0.0 or higher.
You can find more information about CVE-2023-27534 in the provided references: [link1](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2180434), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2180436).