CVE-2023-28320
Summary
| CVE | CVE-2023-28320 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-26 21:15:00 UTC |
| Updated | 2023-10-20 18:42:00 UTC |
| Description | A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. |
Risk And Classification
Problem Types: CWE-362 | CWE-400
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Macos | All | All | All | All |
| Application | Haxx | Curl | All | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
| Hardware | Netapp | H300s | - | All | All | All |
| Operating System | Netapp | H300s Firmware | - | All | All | All |
| Hardware | Netapp | H410s | - | All | All | All |
| Operating System | Netapp | H410s Firmware | - | All | All | All |
| Hardware | Netapp | H500s | - | All | All | All |
| Operating System | Netapp | H500s Firmware | - | All | All | All |
| Hardware | Netapp | H700s | - | All | All | All |
| Operating System | Netapp | H700s Firmware | - | All | All | All |
| Application | Netapp | Ontap Antivirus Connector | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| HackerOne | MISC | hackerone.com | |
| Full Disclosure: APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8 | FULLDISC | seclists.org | |
| About the security content of macOS Ventura 13.5 - Apple Support | CONFIRM | support.apple.com | |
| About the security content of macOS Monterey 12.6.8 - Apple Support | CONFIRM | support.apple.com | |
| curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security | GENTOO | security.gentoo.org | |
| About the security content of macOS Big Sur 11.7.9 - Apple Support | CONFIRM | support.apple.com | |
| Full Disclosure: APPLE-SA-2023-07-24-4 macOS Ventura 13.5 | FULLDISC | seclists.org | |
| Full Disclosure: APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9 | FULLDISC | seclists.org | |
| May 2023 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 182914 Debian Security Update for curl (CVE-2023-28320)
- 378687 Apple macOS Ventura 13.5 Not Installed (HT213843)
- 378688 Apple macOS Monterey 12.6.8 Not Installed (HT213844)
- 378689 Apple macOS Big Sur 11.7.9 Not Installed (HT213845)
- 503014 Alpine Linux Security Update for curl
- 691172 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (a4f8bb03-f52f-11ed-9859-080027083a05)
- 710772 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)
- 754020 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2226-1)
- 754021 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2228-1)
- 754022 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2227-1)
- 754069 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2225-1)
- 907178 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (26793-1)
- 907405 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (26813-1)
- 907643 Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (26809-1)