{"id":"CURL-CVE-2023-28319","summary":"UAF in SSH sha256 fingerprint check","details":"libcurl offers a feature to verify an SSH server's public key using a SHA 256\nhash. When this check fails, libcurl would free the memory for the fingerprint\nbefore it returns an error message containing the (now freed) hash.\n\nThis flaw risks inserting sensitive heap-based data into the error message\nthat might be shown to users or otherwise get leaked and revealed.","aliases":["CVE-2023-28319"],"modified":"2025-05-15T17:48:29Z","published":"2023-05-17T08:00:00Z","database_specific":{"package":"curl","CWE":{"id":"CWE-416","desc":"Use After Free"},"award":{"currency":"USD","amount":"2400"},"last_affected":"8.0.1","severity":"Medium","www":"https://curl.se/docs/CVE-2023-28319.html","affects":"both","URL":"https://curl.se/docs/CVE-2023-28319.json","issue":"https://hackerone.com/reports/1913733"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.81.0"},{"fixed":"8.1.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"3467e89bb97e6c87c77e82a046c59cb4b2d29a74"},{"fixed":"8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122"}]}],"versions":["8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-28319.json","vanir_signatures":[{"signature_type":"Function","id":"CURL-CVE-2023-28319-7fadbfce","digest":{"length":3668,"function_hash":"164663694070092557558600732840543728138"},"signature_version":"v1","target":{"file":"lib/vssh/libssh2.c","function":"ssh_check_fingerprint"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122"},{"signature_type":"Line","id":"CURL-CVE-2023-28319-91543937","digest":{"line_hashes":["53569815033807692591988852672197824348","300026661933698122365812888195609192414","154976131995872583060259700678453632716","337877370814969873219123483981391270966","291185224061452949542855463539608396025","135566640030226554992210614888316861163","76693148052900451742912538564807476793"],"threshold":0.9},"signature_version":"v1","target":{"file":"lib/vssh/libssh2.c"},"deprecated":false,"source":"https://github.com/curl/curl.git/commit/8e21b1a05f3c0ee098dbcb6c3d84cb61f102a122"}]}}],"schema_version":"1.7.3","credits":[{"name":"Wei Chong Tan","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}