Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-28319

Published: 17 May 2023

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.

Notes

AuthorNote
mdeslaur
introduced in 7.81.0 in
https://github.com/curl/curl/commit/3467e89bb97e6c87c7

This only affects curl when built with libssh2. Ubuntu packages
contain a delta from debian to build with libssh instead of
libssh2, so Ubuntu is not affected by this vulnerability.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(7.58.0-2ubuntu3.24)
focal Not vulnerable
(7.68.0-1ubuntu2.18)
jammy Not vulnerable
(code not compiled)
kinetic Not vulnerable
(code not compiled)
lunar Not vulnerable
(code not compiled)
trusty Not vulnerable

upstream
Released (8.1.0)
xenial Not vulnerable

Patches:
upstream: https://github.com/curl/curl/commit/8e21b1a05f3c0ee098dbcb6c

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N