PT-2023-3433 · Curl+5 · Curl+5

Harry Sintonen

+1

·

Publicado

2023-05-17

·

Atualizado

2026-05-18

·

CVE-2023-28320

CVSS v3.1

5.9

Média

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions curl versions prior to 8.1.0
Description A denial of service issue exists in the way libcurl provides several different backends for resolving host names. If libcurl is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). This can cause a multi-threaded application to crash or misbehave due to a global buffer that is not mutex protected. The issue can be exploited by a remote attacker to cause a denial of service.
Recommendations For versions prior to 8.1.0, update to version 8.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the synchronous resolver backend in multi-threaded applications until a patch is available. Restrict access to the vulnerable alarm() and siglongjmp() functions to minimize the risk of exploitation.

Exploit

Correção

DoS

Resource Exhaustion

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400CWE-362CWE-662

Identificadores relacionados

ALT-PU-2023-1827
ALT-PU-2023-1863
ALT-PU-2023-4357
ALT-PU-2023-5727
AZL-26790
AZL-26793
AZL-26809
AZL-26813
AZL-34605
AZL-38926
BDU:2023-03612
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2023-28320
MGASA-2023-0263
OPENSUSE-SU-2024:12940-1
SUSE-SU-2023:2224-1
SUSE-SU-2023:2224-2
SUSE-SU-2023:2225-1
SUSE-SU-2023:2226-1
SUSE-SU-2023:2227-1
SUSE-SU-2023:2228-1
SUSE-SU-2023:2230-1
SUSE-SU-2023_2227-1
SUSE-SU-2023_2230-1

Produtos afetados

Alt Linux
Debian
Apple Macos
Red Os
Suse
Curl