Lucene search

K
redhatRedHatRHSA-2024:0428
HistoryJan 24, 2024 - 2:40 p.m.

(RHSA-2024:0428) Moderate: curl security and bug fix update

2024-01-2414:40:32
access.redhat.com
12
moderate level
curl
libcurl
http
ftp
ldap
security fix
bug fix
cve-2023-27535
cve-2023-27536
cve-2023-46218
cve-2022-35252
cve-2022-43552
cve-2023-28322
ssh-2.0-9.99 sshlib

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

71.7%

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: FTP too eager connection reuse (CVE-2023-27535)

  • curl: GSS delegation too eager connection re-use (CVE-2023-27536)

  • curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)

  • curl: Incorrect handling of control code characters in cookies (CVE-2022-35252)

  • curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)

  • curl: more POST-after-PUT confusion (CVE-2023-28322)

Bug Fix(es):

  • Cannot upload files bigger than 64K to “SSH-2.0-9.99 sshlib” server, transfer hangs (RHEL-5483)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.2

Confidence

Low

EPSS

0.003

Percentile

71.7%