- Vulnerability/
- CVE-2023-38545
3/10/2023
11/10/2023
18/10/2023
14/11/2023
14/3/2024
24/4/2024
CVE-2023-38545: curl and libcurl CVE-2023-38545 and CVE-2023-38546 vulnerabilities
First published: Tue Oct 03 2023(Updated: )
curl. Multiple issues were addressed by updating to curl version 8.4.0.
Credit: support@hackerone.com CVE-2023-38545 CVE-2023-38039 CVE-2023-38546 CVE-2023-42915 support@hackerone.com support@hackerone.com CVE-2023-38545 CVE-2023-38039 CVE-2023-38546 CVE-2023-38545 CVE-2023-38039 CVE-2023-38546 CVE-2023-38545 CVE-2023-38039 CVE-2023-38546
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Windows Server 2019 | ||
| Microsoft Windows 11 | =23H2 | |
| Microsoft Windows 11 | =22H2 | |
| Microsoft Windows 11 | =21H2 | |
| Microsoft Windows 11 | =22H2 | |
| Microsoft Windows 11 | =23H2 | |
| Microsoft Windows Server 2019 | ||
| Microsoft Windows 11 | =21H2 | |
| Microsoft Windows Server 2022 | ||
| Microsoft Windows Server 2022 | ||
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 11 | =21H2 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =21H2 | |
| Microsoft Windows 11 | =22H2 | |
| Microsoft Windows 11 | =23H2 | |
| Microsoft Windows Server 2019 | ||
| Microsoft Windows Server 2019 | ||
| Microsoft Windows 11 | =23H2 | |
| Microsoft Windows 11 | =21H2 | |
| Microsoft Windows 11 | =22H2 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows Server 2022 | ||
| Microsoft Windows 10 | =1809 | |
| Microsoft Windows 10 | =22H2 | |
| Microsoft Windows Server 2022 | ||
| IBM IBM® Engineering Requirements Management DOORS | <=9.7.2.7 | |
| IBM IBM® Engineering Requirements Management DOORS Web Access | <=9.7.2.7 | |
| Apple iOS | <16.7.5 | 16.7.5 |
| Apple iPadOS | <16.7.5 | 16.7.5 |
| Apple macOS Sonoma | <14.2 | 14.2 |
| redhat/curl | <8.4.0 | 8.4.0 |
| Apple macOS Ventura | <13.6.4 | 13.6.4 |
| Apple macOS Monterey | <12.7.3 | 12.7.3 |
| Haxx Libcurl | >=7.69.0<8.4.0 | |
| Fedoraproject Fedora | =37 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| Microsoft Windows 10 1809 | <10.0.17763.5122 | |
| Microsoft Windows 10 21h2 | <10.0.19044.3693 | |
| Microsoft Windows 10 22h2 | <10.0.19045.3693 | |
| Microsoft Windows 11 21h2 | <10.0.22000.2600 | |
| Microsoft Windows 11 22h2 | <10.0.22621.2715 | |
| Microsoft Windows 11 23h2 | <10.0.22631.2715 | |
| Microsoft Windows Server 2019 | <10.0.17763.5122 | |
| Microsoft Windows Server 2022 | <10.0.20348.2113 | |
| ubuntu/curl | <7.81.0-1ubuntu1.14 | 7.81.0-1ubuntu1.14 |
| ubuntu/curl | <7.88.1-8ubuntu2.3 | 7.88.1-8ubuntu2.3 |
| ubuntu/curl | <8.2.1-1ubuntu3.1 | 8.2.1-1ubuntu3.1 |
| ubuntu/curl | <8.2.1-1ubuntu3.1 | 8.2.1-1ubuntu3.1 |
| debian/curl | 7.64.0-4+deb10u2 7.64.0-4+deb10u9 7.74.0-1.3+deb11u11 7.88.1-10+deb12u5 8.7.1-3 8.7.1-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38545 (Advisory)
- https://curl.se/docs/CVE-2023-38545.html
- https://security.netapp.com/advisory/ntap-20231027-0009/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/
- https://www.secpod.com/blog/high-severity-heap-buffer-overflow-vulnerability/
- https://support.apple.com/kb/HT214036
- https://support.apple.com/kb/HT214063
- https://support.apple.com/kb/HT214057
- https://support.apple.com/kb/HT214058
- http://seclists.org/fulldisclosure/2024/Jan/34
- http://seclists.org/fulldisclosure/2024/Jan/37
- http://seclists.org/fulldisclosure/2024/Jan/38
- https://security.netapp.com/advisory/ntap-20240201-0005/
- https://support.apple.com/en-us/HT214057 (Advisory)
- https://support.apple.com/en-us/HT214058 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-38545
- https://exchange.xforce.ibmcloud.com/vulnerabilities/268045
- https://www.ibm.com/support/pages/node/7124058 (Advisory)
- https://support.apple.com/en-us/HT214063 (Advisory)
- https://www.fortiguard.com/psirt/FG-IR-23-385
- https://support.apple.com/en-us/HT214036 (Advisory)
- https://ubuntu.com/security/notices/USN-6429-1
- https://ubuntu.com/security/notices/USN-6429-3
- https://www.cve.org/CVERecord?id=CVE-2023-38545
- https://nvd.nist.gov/vuln/detail/CVE-2023-38545
- https://security-tracker.debian.org/tracker/CVE-2023-38545
- https://ubuntu.com/security/CVE-2023-38545
- https://github.com/curl/curl/commit/4a4b63daaa01ef59b131d91e8e6e6dfe275c0f08
- https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147
- https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2243182
- https://access.redhat.com/errata/RHSA-2023:5700
- https://access.redhat.com/errata/RHSA-2023:5763
- https://access.redhat.com/errata/RHSA-2023:6745
- https://access.redhat.com/errata/RHSA-2023:7625
- https://access.redhat.com/errata/RHSA-2023:7626
- https://access.redhat.com/errata/RHSA-2024:0797
- https://access.redhat.com/errata/RHSA-2024:2011
- https://bugzilla.redhat.com/show_bug.cgi?id=2241933
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2023-42937
- CVE-2024-23212
- CVE-2023-38545
- CVE-2023-38039
- CVE-2023-38546
- CVE-2023-42915
- CVE-2023-42888
- CVE-2024-23211
- CVE-2024-23213
- CVE-2024-23214
- CVE-2024-23206
- CVE-2024-23222
- CVE-2023-42874
- CVE-2023-42919
- CVE-2023-42894
- CVE-2023-42901
- CVE-2023-42902
- CVE-2023-42912
- CVE-2023-42903
- CVE-2023-42904
- CVE-2023-42905
- CVE-2023-42906
- CVE-2023-42907
- CVE-2023-42908
- CVE-2023-42909
- CVE-2023-42910
- CVE-2023-42911
- CVE-2023-42926
- CVE-2023-42882
- CVE-2023-42881
- CVE-2023-42924
- CVE-2023-42896
- CVE-2023-42884
- CVE-2023-45866
- CVE-2023-42900
- CVE-2023-42886
- CVE-2023-42931
- CVE-2023-42892
- CVE-2023-42922
- CVE-2023-42898
- CVE-2023-42899
- CVE-2023-42891
- CVE-2023-42974
- CVE-2023-42914
- CVE-2023-42893
- CVE-2023-3618
- CVE-2020-19185
- CVE-2020-19186
- CVE-2020-19187
- CVE-2020-19188
- CVE-2020-19189
- CVE-2020-19190
- CVE-2023-42887
- CVE-2023-42936
- CVE-2023-40390
- CVE-2023-42842
- CVE-2023-42930
- CVE-2023-42913
- CVE-2023-42932
- CVE-2023-42947
- CVE-2023-5344
- CVE-2023-42890
- CVE-2023-42883
- CVE-2023-42950
- CVE-2023-42956
- CVE-2023-40528
- CVE-2024-23224
- CVE-2023-42935
- CVE-2024-23207
- CVE-2024-27791
Frequently Asked Questions
What is the vulnerability ID for this security advisory?
The vulnerability ID for this security advisory is CVE-2023-38545.
What is the title of the security advisory?
The title of the security advisory is [SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow.
What is the severity of this vulnerability?
The severity of this vulnerability has not been specified.
What software is affected by this vulnerability?
The affected software is curl, with specific versions mentioned in the security advisory.
How can I fix this vulnerability?
You can fix this vulnerability by updating curl to the recommended versions provided in the security advisory.
- collector/oss-sec
- alias/CVE-2023-38545
- collector/msrc
- collector/nvd-index
- agent/type
- source/Microsoft
- collector/msrc-cve
- agent/first-publish-date
- agent/weakness
- agent/software-canonical-lookup
- agent/remedy
- collector/mitre-cve
- source/MITRE
- collector/fortiguard-psirt-latest
- source/FortiGuard
- alias/CVE-2023-38546
- agent/title
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/apple-support
- source/Apple
- alias/CVE-2023-38039
- alias/CVE-2023-42915
- collector/fortiguard-psirt
- agent/severity
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/microsoft
- canonical/microsoft windows server 2019
- canonical/microsoft windows 11
- version/microsoft windows 11/23h2
- version/microsoft windows 11/22h2
- version/microsoft windows 11/21h2
- canonical/microsoft windows server 2022
- canonical/microsoft windows 10
- version/microsoft windows 10/21h2
- version/microsoft windows 10/22h2
- version/microsoft windows 10/1809
- vendor/ibm
- canonical/ibm ibm® engineering requirements management doors
- version/ibm ibm® engineering requirements management doors/9.7.2.7
- canonical/ibm ibm® engineering requirements management doors web access
- version/ibm ibm® engineering requirements management doors web access/9.7.2.7
- vendor/apple
- canonical/apple ios
- canonical/apple ipados
- canonical/apple macos sonoma
- package-manager/redhat
- canonical/apple macos ventura
- canonical/apple macos monterey
- vendor/haxx
- canonical/haxx libcurl
- version/haxx libcurl/7.69.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/microsoft windows 10 1809
- canonical/microsoft windows 10 21h2
- canonical/microsoft windows 10 22h2
- canonical/microsoft windows 11 21h2
- canonical/microsoft windows 11 22h2
- canonical/microsoft windows 11 23h2
- package-manager/debian
- package-manager/ubuntu