{"id":"CURL-CVE-2023-27534","summary":"SFTP path ~ resolving discrepancy","details":"curl supports SFTP transfers. curl's SFTP implementation offers a special\nfeature in the path component of URLs: a tilde (`~`) character as the first\npath element in the path to denotes a path relative to the user's home\ndirectory. This is supported because of wording in the [once proposed\nto-become RFC\ndraft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04)\nthat was to dictate how SFTP URLs work.\n\nDue to a bug, the handling of the tilde in SFTP path did however not only\nreplace it when it is used stand-alone as the first path element but also\nwrongly when used as a mere prefix in the first element.\n\nUsing a path like `/~2/foo` when accessing a server using the user `dan` (with\nhome directory `/home/dan`) would then quite surprisingly access the file\n`/home/dan2/foo`.\n\nThis can be taken advantage of to circumvent filtering or worse.","aliases":["CVE-2023-27534"],"modified":"2024-01-25T02:42:51.734800Z","published":"2023-03-20T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1892351","affects":"both","URL":"https://curl.se/docs/CVE-2023-27534.json","last_affected":"7.88.1","severity":"Low","www":"https://curl.se/docs/CVE-2023-27534.html","package":"curl","award":{"amount":"480","currency":"USD"},"CWE":{"desc":"Improper Limitation of a Pathname to a Restricted Directory","id":"CWE-22"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.18.0"},{"fixed":"8.0.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ba6f20a2442ab1ebfe947cff19a552f92114a29a"},{"fixed":"4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6"}]}],"versions":["7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","target":{"file":"lib/curl_path.c","function":"Curl_getworkingpath"},"source":"https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6","signature_version":"v1","id":"CURL-CVE-2023-27534-41b9bc57","digest":{"function_hash":"228840074135554431436719030323093654179","length":1162}},{"deprecated":false,"signature_type":"Line","target":{"file":"lib/curl_path.c"},"source":"https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6","signature_version":"v1","id":"CURL-CVE-2023-27534-4c227131","digest":{"threshold":0.9,"line_hashes":["218544295992803142351060550016437973059","17595090113948442442737404369813994168","127099749212024772016832004220242757845","193377320314188509804557227397164681671","128593626999667703384795045236461924420","166500908727351385377023948994925195877","164312718496607157671589763048734094643","241024227959350370199836703071471749079","142363385775755644370728803225874686346","24894155868649408036618127898712702512","322969720911693821970132461870384462211","267269704318405773158920350231518977242","114626317354368070713158021065297744152","302222549270681719589766286763024689976","22695367372254738118545595532995196107","63562687785449076694908610682007924595","139300319062665313356507615483743702008","173293223730354422723121247930875265019","192553860508771460009008025076551363558","326154242660115391323127878791032655308","122444487809622759736426500349637244536","249625537427663162852917849078719393486","304941522735531985350000096649696213401","299871582095206091799004427034611032085","20629569223273937240173877834025078004","251350689102973709440522639738416094059","156192352302548045669514510887390816767","101898109192932712250706491865800012857","96649043855652563813759725220665959968","120977689065159008338668166205124385763","173293223730354422723121247930875265019","227012376426497601253820692928802671546","12413570378180400446243866381344886251","203306616924648785618483540586034808563","87959606140091949917716476882169532916","180519442735749124854477651929287477130","10843707057582894148002426623887554465","310397967457063354526099098088053995188","143856960950009739223417370161638863001","227832957307795953550157382558438178924","164919229496897240624069036802370089344","334030817854875047914307532863676427973","20925765012834045928219785870668575700","64191071328762438076287199822580165471","336973117671902481458599763111284669984","153999460614051797763374948783717851513","139300319062665313356507615483743702008","173293223730354422723121247930875265019","332980443351317171627524081174027457346","172614800569243312121640488635040898424","222352064344804085798479313409624286993","252970910987515919464260785484673287410","140728092908624700123691564267460159843","98216406554028246372000676043079968592","109458180892148882097022975793511679746","236511837109245670155669349537673282164"]}}],"source":"https://curl.se/docs/CURL-CVE-2023-27534.json"}}],"schema_version":"1.7.3","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}