Improper synchronization in cURL

#VU76235 Improper synchronization in cURL

Published: 2023-05-17

Vulnerability identifier: #VU76235

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28320

CWE-ID: CWE-662

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper synchronization when resolving host names using the alarm() and siglongjmp() function. A remote attacker can force the application to crash by influencing contents of the global buffer.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.1.1 - 8.0.1

External links
http://curl.haxx.se/docs/CVE-2023-28320.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA

Multiple vulnerabilities in IBM Rational ClearCase

Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Gentoo update for curl

Multiple vulnerabilities in Oracle Solaris third-party software

Multiple vulnerabilities in Dell Cloud Tiering Appliance

Multiple vulnerabilities in Dell Data Protection Central

Multiple vulnerabilities in Dell PowerProtect Cyber Recovery

Multiple vulnerabilities in IBM QRadar Wincollect