The maintainers of the Curl library, a widely used tool for data transfer via URL syntax, have issued an advisory warning about two forthcoming security vulnerabilities set to be addressed in an update on October 11, 2023. These vulnerabilities have been classified as high-severity (CVE-2023-38545) and low-severity (CVE-2023-38546).
Furthermore, the exact details of these vulnerabilities and the specific versions affected have been intentionally withheld to prevent potential attackers from identifying and exploiting them prematurely. However, it is known that these vulnerabilities impact versions of the library spanning several years.
Curl, powered by libcurl, supports various protocols, including FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), and more. The high-severity vulnerability (CVE-2023-38545) affects both libcurl and curl, while the low-severity one (CVE-2023-38546) impacts only libcurl. To address these issues, the maintainers plan to release Curl version 8.4.0 on October 11, 2023.
Security experts recommend that organizations take immediate action by inventorying and scanning all systems that rely on curl and libcurl. This proactive approach will help identify potentially vulnerable versions once the details of the vulnerabilities are disclosed with the release of Curl 8.4.0. Despite the intentional lack of information in the advisory, it is crucial for organizations to prepare for these updates and prioritize their systems’ security.