This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.
Esta falla hace que curl desborde un búfer basado en el protocolo de enlace del proxy SOCKS5. Cuando se le pide a curl que pase el nombre de host al proxy SOCKS5 para permitir que resuelva la dirección en lugar de que lo haga curl mismo, la longitud máxima que puede tener el nombre de host es 255 bytes. Si se detecta que el nombre de host es más largo, curl cambia a la resolución de nombres local y en su lugar pasa solo la dirección resuelta. Debido a este error, la variable local que significa "dejar que el host resuelva el nombre" podría obtener el valor incorrecto durante un protocolo de enlace SOCKS5 lento y, contrariamente a la intención, copiar el nombre del host demasiado largo al búfer de destino en lugar de copiar solo la dirección resuelta allí. El búfer de destino es un búfer basado en montón y el nombre de host proviene de la URL con la que se le ha dicho a curl que opere.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-787
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| haxx | libcurl | * | <built-in method update of dict object at 0x702b83f2f740> | Application |
| fedoraproject | fedora | 37 | <built-in method update of dict object at 0x702bde536080> | Operating System |
| netapp | active_iq_unified_manager | - | <built-in method update of dict object at 0x702ba6edb940> | Application |
| netapp | active_iq_unified_manager | - | <built-in method update of dict object at 0x702ba6ed9300> | Application |
| netapp | oncommand_insight | - | <built-in method update of dict object at 0x702b83f2d580> | Application |
| netapp | oncommand_workflow_automation | - | <built-in method update of dict object at 0x702b83f2fe00> | Application |
| microsoft | windows_10_1809 | * | <built-in method update of dict object at 0x702ba6eda500> | Operating System |
| microsoft | windows_10_21h2 | * | <built-in method update of dict object at 0x702b80ad8b00> | Operating System |
| microsoft | windows_10_22h2 | * | <built-in method update of dict object at 0x702bde536a80> | Operating System |
| microsoft | windows_11_21h2 | * | <built-in method update of dict object at 0x702b83f2d480> | Operating System |
| microsoft | windows_11_22h2 | * | <built-in method update of dict object at 0x702ba6ed9500> | Operating System |
| microsoft | windows_11_23h2 | * | <built-in method update of dict object at 0x702bde535500> | Operating System |
| microsoft | windows_server_2019 | * | <built-in method update of dict object at 0x702bde166880> | Operating System |
| microsoft | windows_server_2022 | * | <built-in method update of dict object at 0x702ba6ed8580> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
| Yes | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
| Yes | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| Yes | cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* |