CVE-2019-5443

Name of the Vulnerable Software and Affected Versions curl versions 7.65.1 and earlier MySQL Server versions 5.7.27 and earlier, 8.0.17 and earlier

Description The issue is related to incorrect code generation management in the libcurl library. It allows a non-privileged user or program to place code and a config file in a known non-privileged path, which can make curl automatically run the code as an OpenSSL "engine" on invocation. If curl is invoked by a privileged user, it can perform any desired actions. This flaw can be exploited to elevate privileges or execute arbitrary code. There exists proof of concept exploits of this flaw.

Recommendations For curl versions 7.65.1 and earlier, consider disabling the use of OpenSSL "engine" until a patch is available. For MySQL Server versions 5.7.27 and earlier, 8.0.17 and earlier, restrict access to the Server:Compiling(cURL) subcomponent to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.