Buffer overflow in Curl
CVE-2023-38545
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximu…
Vulnerability class: Buffer Overflow
EPSS: 0.267 (96.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
Weakness classification (CWE)
Public proof-of-concept exploits
References
- support@hackerone.com (Patch, Third Party Advisory)
- support@hackerone.com (Third Party Advisory)
- support@hackerone.com (Mailing List, Third Party Advisory)
- support@hackerone.com (Patch, Third Party Advisory)
- support@hackerone.com (Third Party Advisory)
- support@hackerone.com (Third Party Advisory)
- support@hackerone.com (Third Party Advisory)
- support@hackerone.com (Third Party Advisory)
- support@hackerone.com (Mailing List, Third Party Advisory)
- support@hackerone.com (Mailing List, Third Party Advisory)
Frequently asked questions
- What is CVE-2023-38545?
- CVE-2023-38545 is a critical-severity vulnerability in Curl, classified under Out-of-bounds Write. CVSS score: 9.8/10. Published 2023-10-18.
- How severe is CVE-2023-38545?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2023-38545 known to be exploited?
- 32 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.