3rd Party Risk Management , Governance & Risk Management , Patch Management

cURL Maintainers Fixing 'Worst Curl Security Flaw'

Updates Expected Wednesday for Open-Source Command-Line Tool, Library
cURL Maintainers Fixing 'Worst Curl Security Flaw'

Maintainers of the ubiquitous open-source command-line tool cURL issued a warning about two upcoming vulnerabilities set to be disclosed this week.

See Also: 2018 Vulnerability Review: Evolution of Software Security From a Vulnerability Perspective

One vulnerability, tracked as CVE-2023-38545 and classified high severity, is "probably the worst curl security flaw in a long time," said Daniel Stenberg, founder, developer and maintainer of curl.

Stenberg last week announced in a Github advisory that he was cutting short the regular release cycle of curl for an urgent security release, to be made available on October 11.

The second vulnerability, CVE-2023-38546, is deemed a low severity issue affecting libcurl, the library behind curl.

The developer withheld technical details to avoid exposing the problem areas, but said he reported the issue to warn users.

DevSecOps provider Snyk pointed out the widespread usage of curl as a standalone utility and an integral part of other software.* "Many, if not all, of the Linux distributions that Snyk supports use libcurl, hence, the potential scope of impact is wide," Snyk warned.

Cybersecurity company Qualys explained that libcurl plays a vital role in helping developers incorporate robust data transfer functionality into their applications, facilitating tasks such as HTTP requests, cookie management and authentication.

Last year, the White House hosted a forum with open source security experts, and after deliberations, last month unveiled a road map for addressing cybersecurity in the open-source field.

But multiple vulnerabilities in open source tools, including libwebp and libvpx, have raised concerns as evidence of exploitation by commercial spyware vendors grows (see: Chrome Patches 0-Day Exploited by Commercial Spyware Vendor).

Amazon Web Services also last week warned of a vulnerability affecting TorchServe, an open source tool employed by major corporations in building artificial intelligence models (see: Amazon Web Services Warns of TorchServe Flaws).

The vulnerabilities will only be fixed in curl version 8.4.0. "The forthcoming high-severity issue in libcurl demands cautious attention, though it might not affect all users," Qualys said. "Updating the shared libcurl library is the anticipated universal fix across operating systems. Yet, according to the maintainer, a sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate their libcurl copies."

Docker issued a separate advisory to help its customers check whether they are using the curl library as a dependency in any of the container images in their organization.

*Correction Oct. 16, 2023 16:39 UTC: Story changed to ensure correct spelling of "Snyk" throughout the story. We regret the error.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.