Maintainers of the Curl Library have issued an advisory warning of two security vulnerabilities, which have been addressed as part of an upcoming update set for release on October 11, 2023.
This includes the defect of high-seriousness and low-seriousness respectively, which has been tracked under the identifier CVE-2023-38545 and CVE-2023-38546 respectively.
Additional details about issues and accurate version range have been stopped due to the possibility that information can be used to “help identify the problem (area) with much more accuracy”.
He said, “previous several years” of library versions are affected.
“Sure, there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason,” Daniel Stenberg, the lead developer behind the project, said in a message posted on GitHub.
Curl, powered by libcurl, is a popular command-line tool for transferring data specified with URL syntax. It supports a wide range of protocols such as FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS.
While 2023–38545 affects both Libcurl and curls, CVE-2023–38546 affects Libcurl only.
Saeed Abbasi, the product manager of the Qualys Threat Research Unit (TRU), said, “Undisclosed to prevent the pre-release problem identification with the specific version range details, the vulnerabilities will be fixed in the curl version 8.4.0.”
“Organizations must scan immediate inventory and all systems to use curls and libcurl, the possibility of identifying potentially vulnerable versions, Details appear once on 11 October with a release of curl 8.4.0.”