CURL-CVE-2023-27534

Source
https://curl.se/docs/CVE-2023-27534.html
Import Source
https://curl.se/docs/CURL-CVE-2023-27534.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2023-27534
Aliases
Published
2023-03-20T08:00:00Z
Modified
2024-01-16T03:42:50.338439Z
Summary
SFTP path ~ resolving discrepancy
Details

curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.

Database specific
{
    "issue": "https://hackerone.com/reports/1892351",
    "URL": "https://curl.se/docs/CVE-2023-27534.json",
    "last_affected": "7.88.1",
    "affects": "both",
    "award": {
        "currency": "USD",
        "amount": "480"
    },
    "CWE": {
        "desc": "Improper Limitation of a Pathname to a Restricted Directory",
        "id": "CWE-22"
    },
    "severity": "Low",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2023-27534.html"
}
References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.18.0
Fixed
8.0.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

7.*

7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "target": {
                "file": "lib/curl_path.c",
                "function": "Curl_getworkingpath"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1162.0,
                "function_hash": "228840074135554431436719030323093654179"
            },
            "source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
            "deprecated": false,
            "id": "CURL-CVE-2023-27534-41b9bc57"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "lib/curl_path.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "218544295992803142351060550016437973059",
                    "17595090113948442442737404369813994168",
                    "127099749212024772016832004220242757845",
                    "193377320314188509804557227397164681671",
                    "128593626999667703384795045236461924420",
                    "166500908727351385377023948994925195877",
                    "164312718496607157671589763048734094643",
                    "241024227959350370199836703071471749079",
                    "142363385775755644370728803225874686346",
                    "24894155868649408036618127898712702512",
                    "322969720911693821970132461870384462211",
                    "267269704318405773158920350231518977242",
                    "114626317354368070713158021065297744152",
                    "302222549270681719589766286763024689976",
                    "22695367372254738118545595532995196107",
                    "63562687785449076694908610682007924595",
                    "139300319062665313356507615483743702008",
                    "173293223730354422723121247930875265019",
                    "192553860508771460009008025076551363558",
                    "326154242660115391323127878791032655308",
                    "122444487809622759736426500349637244536",
                    "249625537427663162852917849078719393486",
                    "304941522735531985350000096649696213401",
                    "299871582095206091799004427034611032085",
                    "20629569223273937240173877834025078004",
                    "251350689102973709440522639738416094059",
                    "156192352302548045669514510887390816767",
                    "101898109192932712250706491865800012857",
                    "96649043855652563813759725220665959968",
                    "120977689065159008338668166205124385763",
                    "173293223730354422723121247930875265019",
                    "227012376426497601253820692928802671546",
                    "12413570378180400446243866381344886251",
                    "203306616924648785618483540586034808563",
                    "87959606140091949917716476882169532916",
                    "180519442735749124854477651929287477130",
                    "10843707057582894148002426623887554465",
                    "310397967457063354526099098088053995188",
                    "143856960950009739223417370161638863001",
                    "227832957307795953550157382558438178924",
                    "164919229496897240624069036802370089344",
                    "334030817854875047914307532863676427973",
                    "20925765012834045928219785870668575700",
                    "64191071328762438076287199822580165471",
                    "336973117671902481458599763111284669984",
                    "153999460614051797763374948783717851513",
                    "139300319062665313356507615483743702008",
                    "173293223730354422723121247930875265019",
                    "332980443351317171627524081174027457346",
                    "172614800569243312121640488635040898424",
                    "222352064344804085798479313409624286993",
                    "252970910987515919464260785484673287410",
                    "140728092908624700123691564267460159843",
                    "98216406554028246372000676043079968592",
                    "109458180892148882097022975793511679746",
                    "236511837109245670155669349537673282164"
                ]
            },
            "source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
            "deprecated": false,
            "id": "CURL-CVE-2023-27534-4c227131"
        }
    ]
}