{"api_version":"1","generated_at":"2026-04-22T19:36:26+00:00","cve":"CVE-2023-27533","urls":{"html":"https://cve.report/CVE-2023-27533","api":"https://cve.report/api/cve/CVE-2023-27533.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-27533","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-27533"},"summary":{"title":"CVE-2023-27533","description":"A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-03-30 20:15:00","updated_at":"2024-03-27 14:54:00"},"problem_types":["CWE-74"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20230420-0011/","name":"https://security.netapp.com/advisory/ntap-20230420-0011/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-27533 cURL/libcURL Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202310-12","name":"GLSA-202310-12","refsource":"GENTOO","tags":[],"title":"curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html","name":"[debian-lts-announce] 20230421 [SECURITY] [DLA 3398-1] curl security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3398-1] curl security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/1891474","name":"https://hackerone.com/reports/1891474","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/","name":"FEDORA-2023-7e7414e64d","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: curl-7.82.0-14.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/","name":"FEDORA-2023-7e7414e64d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: curl-7.82.0-14.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-27533","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27533","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"7.881","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"active_iq_unified_manager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware_vsphere","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"9.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h300s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h300s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h410s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h410s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h500s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h500s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h700s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h700s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"27533","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"9.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-27533","qid":"161067","title":"Oracle Enterprise Linux Security Update for curl (ELSA-2023-6679)"},{"cve":"CVE-2023-27533","qid":"181748","title":"Debian Security Update for curl (DLA 3398-1)"},{"cve":"CVE-2023-27533","qid":"184182","title":"Debian Security Update for curl (CVE-2023-27533)"},{"cve":"CVE-2023-27533","qid":"199246","title":"Ubuntu Security Notification for curl Vulnerabilities (USN-5964-1)"},{"cve":"CVE-2023-27533","qid":"242295","title":"Red Hat Update for curl (RHSA-2023:6679)"},{"cve":"CVE-2023-27533","qid":"283820","title":"Fedora Security Update for curl (FEDORA-2023-2884ba1528)"},{"cve":"CVE-2023-27533","qid":"283865","title":"Fedora Security Update for curl (FEDORA-2023-7e7414e64d)"},{"cve":"CVE-2023-27533","qid":"284222","title":"Fedora Security Update for curl (FEDORA-2023-0de03a9232)"},{"cve":"CVE-2023-27533","qid":"330140","title":"IBM AIX Multiple Vulnerabilities due to curl (curl_advisory2)"},{"cve":"CVE-2023-27533","qid":"354900","title":"Amazon Linux Security Advisory for curl : ALAS-2023-1727"},{"cve":"CVE-2023-27533","qid":"355077","title":"Amazon Linux Security Advisory for curl : AL2012-2023-401"},{"cve":"CVE-2023-27533","qid":"355390","title":"Amazon Linux Security Advisory for curl : ALAS2-2023-2070"},{"cve":"CVE-2023-27533","qid":"355415","title":"Amazon Linux Security Advisory for curl : ALAS2023-2023-193"},{"cve":"CVE-2023-27533","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2023-27533","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2023-27533","qid":"502707","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-27533","qid":"502720","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-27533","qid":"503104","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-27533","qid":"505862","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-27533","qid":"672889","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1816)"},{"cve":"CVE-2023-27533","qid":"672907","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1798)"},{"cve":"CVE-2023-27533","qid":"672973","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1838)"},{"cve":"CVE-2023-27533","qid":"672997","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1862)"},{"cve":"CVE-2023-27533","qid":"673091","title":"EulerOS Security Update for curl (EulerOS-SA-2023-2188)"},{"cve":"CVE-2023-27533","qid":"673616","title":"EulerOS Security Update for curl (EulerOS-SA-2023-2635)"},{"cve":"CVE-2023-27533","qid":"673678","title":"EulerOS Security Update for curl (EulerOS-SA-2023-2677)"},{"cve":"CVE-2023-27533","qid":"691088","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for curl (0d7d104c-c6fb-11ed-8a4b-080027f5fec9)"},{"cve":"CVE-2023-27533","qid":"710772","title":"Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)"},{"cve":"CVE-2023-27533","qid":"753819","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:0865-1)"},{"cve":"CVE-2023-27533","qid":"753857","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:1711-1)"},{"cve":"CVE-2023-27533","qid":"754020","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2226-1)"},{"cve":"CVE-2023-27533","qid":"754021","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2228-1)"},{"cve":"CVE-2023-27533","qid":"906769","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (25894-1)"},{"cve":"CVE-2023-27533","qid":"907403","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (25812-1)"},{"cve":"CVE-2023-27533","qid":"907642","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (25804-1)"},{"cve":"CVE-2023-27533","qid":"941357","title":"AlmaLinux Security Update for curl (ALSA-2023:6679)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2023-27533","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/curl/curl","version":{"version_data":[{"version_value":"Fixed in 8.0.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1891474","url":"https://hackerone.com/reports/1891474"},{"refsource":"FEDORA","name":"FEDORA-2023-7e7414e64d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230420-0011/","url":"https://security.netapp.com/advisory/ntap-20230420-0011/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230421 [SECURITY] [DLA 3398-1] curl security update","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"},{"refsource":"GENTOO","name":"GLSA-202310-12","url":"https://security.gentoo.org/glsa/202310-12"}]},"description":{"description_data":[{"lang":"eng","value":"A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system."}]}},"nvd":{"publishedDate":"2023-03-30 20:15:00","lastModifiedDate":"2024-03-27 14:54:00","problem_types":["CWE-74"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.881","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:clustered_data_ontap:9.0:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}