Lucene search

K
rosalinuxROSA LABROSA-SA-2024-2379
HistoryMar 26, 2024 - 11:18 a.m.

Advisory ROSA-SA-2024-2379

2024-03-2611:18:17
ROSA LAB
abf.rosalinux.ru
16
curl
vulnerability
fixed
patch
denial of service
arbitrary code
socks5
protocol
memory buffer
hostname length
remote execution
update command
unix
rosa-chrome
package version

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

Low

EPSS

0.003

Percentile

70.6%

software: curl 8.4.0
WASP: ROSA-CHROME

package_evr_string: curl-8.4.0-1.src.rpm

CVE-ID: CVE-2023-38545
BDU-ID: 2023-06576
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the SOCKS5 protocol implementation of the cURL command line utility is related to an operation exceeding buffer boundaries in memory when processing hostname length. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service or execute arbitrary code
CVE-STATUS: Fixed
CVE-REV: To close, run the command: sudo dnf update curl

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchcurl< 8.4.0UNKNOWN

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.1

Confidence

Low

EPSS

0.003

Percentile

70.6%