Curl new vulnerabilities to be announced on October 11, 2023

Curl, which relies on libcurl, is a widely-used command-line tool for transferring data via URL syntax. It supports a diverse array of protocols, including FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS.

The maintainers of the Curl library have issued a warning regarding two security vulnerabilities scheduled for resolution in an upcoming update slated for release on October 11, 2023.

These vulnerabilities consist of one high-severity issue, identified as CVE-2023-38545, and a low-severity flaw, labeled CVE-2023-38546.

Exact details about these vulnerabilities and the specific version ranges they affect have not been disclosed to prevent potential malicious exploitation. However, it has been indicated that these vulnerabilities impact numerous versions of the Curl library spanning the last several years.

Daniel Stenberg, the lead developer of the Curl project, stated on GitHub that while there is a small chance that someone might discover these issues before the patch is released, the fact that they have remained undetected for years underscores their complexity.

The impact of CVE-2023-38545 extends to both libcurl and curl, whereas CVE-2023-38546 solely affects libcurl.

The forthcoming patch to address these vulnerabilities will be included in curl version 8.4.0, as noted by Saeed Abbasi, a product manager at Qualys Threat Research Unit (TRU).

Abbasi also emphasized the importance of organizations taking proactive measures by inventorying and scanning all systems utilizing curl and libcurl. This will enable them to identify potentially vulnerable versions as soon as detailed information is disclosed upon the release of Curl 8.4.0 on October 11.