CURL-CVE-2023-27534
- Source
- https://curl.se/docs/CVE-2023-27534.html
- Import Source
- https://curl.se/docs/CURL-CVE-2023-27534.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2023-27534
- Aliases
- Published
- 2023-03-20T08:00:00Z
- Modified
- 2024-01-25T02:42:51.734800Z
- Summary
- SFTP path ~ resolving discrepancy
- Details
-
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (
~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.
Using a path like
/~2/foowhen accessing a server using the userdan(with home directory/home/dan) would then quite surprisingly access the file/home/dan2/foo.This can be taken advantage of to circumvent filtering or worse.
- Database specific
{ "URL": "https://curl.se/docs/CVE-2023-27534.json", "issue": "https://hackerone.com/reports/1892351", "www": "https://curl.se/docs/CVE-2023-27534.html", "affects": "both", "last_affected": "7.88.1", "CWE": { "desc": "Improper Limitation of a Pathname to a Restricted Directory", "id": "CWE-22" }, "severity": "Low", "award": { "currency": "USD", "amount": "480" }, "package": "curl" }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.18.0Fixed8.0.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1162.0,
"function_hash": "228840074135554431436719030323093654179"
},
"source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
"target": {
"file": "lib/curl_path.c",
"function": "Curl_getworkingpath"
},
"id": "CURL-CVE-2023-27534-41b9bc57"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"218544295992803142351060550016437973059",
"17595090113948442442737404369813994168",
"127099749212024772016832004220242757845",
"193377320314188509804557227397164681671",
"128593626999667703384795045236461924420",
"166500908727351385377023948994925195877",
"164312718496607157671589763048734094643",
"241024227959350370199836703071471749079",
"142363385775755644370728803225874686346",
"24894155868649408036618127898712702512",
"322969720911693821970132461870384462211",
"267269704318405773158920350231518977242",
"114626317354368070713158021065297744152",
"302222549270681719589766286763024689976",
"22695367372254738118545595532995196107",
"63562687785449076694908610682007924595",
"139300319062665313356507615483743702008",
"173293223730354422723121247930875265019",
"192553860508771460009008025076551363558",
"326154242660115391323127878791032655308",
"122444487809622759736426500349637244536",
"249625537427663162852917849078719393486",
"304941522735531985350000096649696213401",
"299871582095206091799004427034611032085",
"20629569223273937240173877834025078004",
"251350689102973709440522639738416094059",
"156192352302548045669514510887390816767",
"101898109192932712250706491865800012857",
"96649043855652563813759725220665959968",
"120977689065159008338668166205124385763",
"173293223730354422723121247930875265019",
"227012376426497601253820692928802671546",
"12413570378180400446243866381344886251",
"203306616924648785618483540586034808563",
"87959606140091949917716476882169532916",
"180519442735749124854477651929287477130",
"10843707057582894148002426623887554465",
"310397967457063354526099098088053995188",
"143856960950009739223417370161638863001",
"227832957307795953550157382558438178924",
"164919229496897240624069036802370089344",
"334030817854875047914307532863676427973",
"20925765012834045928219785870668575700",
"64191071328762438076287199822580165471",
"336973117671902481458599763111284669984",
"153999460614051797763374948783717851513",
"139300319062665313356507615483743702008",
"173293223730354422723121247930875265019",
"332980443351317171627524081174027457346",
"172614800569243312121640488635040898424",
"222352064344804085798479313409624286993",
"252970910987515919464260785484673287410",
"140728092908624700123691564267460159843",
"98216406554028246372000676043079968592",
"109458180892148882097022975793511679746",
"236511837109245670155669349537673282164"
],
"threshold": 0.9
},
"source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
"target": {
"file": "lib/curl_path.c"
},
"id": "CURL-CVE-2023-27534-4c227131"
}
]