5 matches found
CVE-2022-2068
The Connected documents corroborate CVE-2022-2068 as a real OpenSSL issue: c_rehash can pass certificate filenames to shell commands, enabling local command execution. Fixed in OpenSSL 3.0.4 (affecting 3.0.0–3.0.3), in OpenSSL 1.1.1p (affecting 1.1.1–1.1.1o), and in OpenSSL 1.0.2zf (affecting 1.0...
CVE-2023-28322
The CVE-2023-28322 information disclosure issue affects curl/libcurl when performing HTTP(S) transfers and using a reused handle that was previously used for PUT and then changed to POST. The flaw arises from curl incorrectly using the read callback (CURLOPT_READFUNCTION) to supply data for POSTF...
CVE-2023-28321
CVE-2023-28321 affects curl before 8.1.0, where a private wildcard matching function used for TLS SAN wildcard patterns can mis-match IDN hostnames. IDNs are punycode-encoded (starting with xn--), but the curl wildcard check could still accept patterns like x* that should not match, potentially a...
CVE-2023-28319
CVE-2023-28319 : A use-after-free in curl/libcurl’s SSH fingerprint check (verifying server public keys with a SHA-256 hash) occurs when verification fails; memory for the fingerprint is freed before the error message is built, potentially leaking the freed hash data in error output. Affected are...
CVE-2023-28320
The CVE-2023-28320 issue affects curl/libcurl when built with a synchronous resolver, where name resolution can hang via alarm() and siglongjmp(). It uses a non-mutex-protected global buffer, risking crashes or misbehavior in multi-threaded apps. Affected: curl