- Vulnerability/
- USN-6429-1
USN-6429-1: curl vulnerabilities
First published: Wed Oct 11 2023(Updated: )
Jay Satiro discovered that curl incorrectly handled hostnames when using a SOCKS5 proxy. In environments where curl is configured to use a SOCKS5 proxy, a remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-38545) It was discovered that curl incorrectly handled cookies when an application duplicated certain handles. A local attacker could possibly create a cookie file and inject arbitrary cookies into subsequent connections. (CVE-2023-38546)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/curl | <7.88.1-8ubuntu2.3 | 7.88.1-8ubuntu2.3 |
| =23.04 | ||
| All of | ||
| ubuntu/libcurl3-gnutls | <7.88.1-8ubuntu2.3 | 7.88.1-8ubuntu2.3 |
| =23.04 | ||
| All of | ||
| ubuntu/libcurl3-nss | <7.88.1-8ubuntu2.3 | 7.88.1-8ubuntu2.3 |
| =23.04 | ||
| All of | ||
| ubuntu/libcurl4 | <7.88.1-8ubuntu2.3 | 7.88.1-8ubuntu2.3 |
| =23.04 | ||
| All of | ||
| ubuntu/curl | <7.81.0-1ubuntu1.14 | 7.81.0-1ubuntu1.14 |
| =22.04 | ||
| All of | ||
| ubuntu/libcurl3-gnutls | <7.81.0-1ubuntu1.14 | 7.81.0-1ubuntu1.14 |
| =22.04 | ||
| All of | ||
| ubuntu/libcurl3-nss | <7.81.0-1ubuntu1.14 | 7.81.0-1ubuntu1.14 |
| =22.04 | ||
| All of | ||
| ubuntu/libcurl4 | <7.81.0-1ubuntu1.14 | 7.81.0-1ubuntu1.14 |
| =22.04 | ||
| All of | ||
| ubuntu/curl | <7.68.0-1ubuntu2.20 | 7.68.0-1ubuntu2.20 |
| =20.04 | ||
| All of | ||
| ubuntu/libcurl3-gnutls | <7.68.0-1ubuntu2.20 | 7.68.0-1ubuntu2.20 |
| =20.04 | ||
| All of | ||
| ubuntu/libcurl3-nss | <7.68.0-1ubuntu2.20 | 7.68.0-1ubuntu2.20 |
| =20.04 | ||
| All of | ||
| ubuntu/libcurl4 | <7.68.0-1ubuntu2.20 | 7.68.0-1ubuntu2.20 |
| =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2023-38546
- https://ubuntu.com/security/CVE-2023-38545
- https://ubuntu.com/security/notices/USN-6429-2
- https://ubuntu.com/security/notices/USN-6429-3
- https://launchpad.net/ubuntu/+source/curl/7.88.1-8ubuntu2.3
- https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.14
- https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.20
- https://ubuntu.com/security/notices/USN-6429-1 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is USN-6429-1.
What software is affected by this vulnerability?
The software affected by this vulnerability is curl and its related packages libcurl3-gnutls, libcurl3-nss, and libcurl4 on Ubuntu versions 22.04 LTS, 23.04, and 20.04.
What is the severity of the vulnerability?
The severity of the vulnerability is not mentioned in the provided information.
How can I fix the vulnerability?
To fix the vulnerability, update the affected software to the specified versions: curl 7.88.1-8ubuntu2.3, libcurl3-gnutls 7.88.1-8ubuntu2.3, libcurl3-nss 7.88.1-8ubuntu2.3, and libcurl4 7.88.1-8ubuntu2.3 on Ubuntu versions 22.04 LTS, 23.04, and 20.04.
Where can I find more information about this vulnerability?
More information about this vulnerability can be found on the Ubuntu security website and the CVE-2023-38546 and CVE-2023-38545 pages.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- anchor-related/USN-6429-2
- anchor-related/USN-6429-3
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/23.04
- version/ubuntu ubuntu/22.04
- version/ubuntu ubuntu/20.04