Special Element Injection Affecting libcurl-minimal package, versions <0:8.0.1-1.amzn2023


Severity

Recommended
0.0
medium
0
10

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.32% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-LIBCURLMINIMAL-5671325
  • published8 Jun 2023
  • disclosed30 Mar 2023

Introduced: 30 Mar 2023

CVE-2023-27533  (opens in a new tab)
CWE-75  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 libcurl-minimal to version 0:8.0.1-1.amzn2023 or higher.
This issue was patched in ALAS2023-2023-193.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl-minimal package and not the libcurl-minimal package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

CVSS Scores

version 3.1