cURL Maintainers Fixing 'Worst Curl Security Flaw'Updates Expected Wednesday for Open-Source Command-Line Tool, Library
Maintainers of the ubiquitous open-source command-line tool cURL issued a warning about two upcoming vulnerabilities set to be disclosed this week.
One vulnerability, tracked as CVE-2023-38545 and classified high severity, is "probably the worst curl security flaw in a long time," said Daniel Stenberg, founder, developer and maintainer of curl.
Stenberg last week announced in a Github advisory that he was cutting short the regular release cycle of curl for an urgent security release, to be made available on October 11.
The second vulnerability, CVE-2023-38546, is deemed a low severity issue affecting
libcurl, the library behind curl.
The developer withheld technical details to avoid exposing the problem areas, but said he reported the issue to warn users.
DevSecOps provider Snyk pointed out the widespread usage of curl as a standalone utility and an integral part of other software.* "Many, if not all, of the Linux distributions that Snyk supports use libcurl, hence, the potential scope of impact is wide," Snyk warned.
Cybersecurity company Qualys explained that libcurl plays a vital role in helping developers incorporate robust data transfer functionality into their applications, facilitating tasks such as HTTP requests, cookie management and authentication.
But multiple vulnerabilities in open source tools, including libwebp and libvpx, have raised concerns as evidence of exploitation by commercial spyware vendors grows (see: Chrome Patches 0-Day Exploited by Commercial Spyware Vendor).
Amazon Web Services also last week warned of a vulnerability affecting TorchServe, an open source tool employed by major corporations in building artificial intelligence models (see: Amazon Web Services Warns of TorchServe Flaws).
The vulnerabilities will only be fixed in curl version 8.4.0. "The forthcoming high-severity issue in libcurl demands cautious attention, though it might not affect all users," Qualys said. "Updating the shared libcurl library is the anticipated universal fix across operating systems. Yet, according to the maintainer, a sizable number of rebuilds are expected, particularly in docker images and similar entities that incorporate their libcurl copies."
Docker issued a separate advisory to help its customers check whether they are using the curl library as a dependency in any of the container images in their organization.
*Correction Oct. 16, 2023 16:39 UTC: Story changed to ensure correct spelling of "Snyk" throughout the story. We regret the error.