{"id":"USN-6237-1","summary":"curl vulnerabilities","details":"Hiroki Kurosawa discovered that curl incorrectly handled validating certain\ncertificate wildcards. A remote attacker could possibly use this issue to\nspoof certain website certificates using IDN hosts. (CVE-2023-28321)\n\nHiroki Kurosawa discovered that curl incorrectly handled callbacks when\ncertain options are set by applications. This could cause applications\nusing curl to misbehave, resulting in information disclosure, or a denial\nof service. (CVE-2023-28322)\n\nIt was discovered that curl incorrectly handled saving cookies to files. A\nlocal attacker could possibly use this issue to create or overwrite files.\nThis issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)\n","modified":"2026-02-17T21:48:19.896506Z","published":"2023-07-19T12:11:55Z","related":["UBUNTU-CVE-2023-28321","UBUNTU-CVE-2023-28322"],"upstream":["CVE-2023-28321","CVE-2023-28322","UBUNTU-CVE-2023-28321","UBUNTU-CVE-2023-28322","UBUNTU-CVE-2023-32001"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6237-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-28321"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-28322"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-32001"}],"affected":[{"package":{"name":"curl","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/curl@7.68.0-1ubuntu2.19?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.68.0-1ubuntu2.19"}]}],"versions":["7.65.3-1ubuntu3","7.65.3-1ubuntu4","7.66.0-1ubuntu1","7.67.0-2ubuntu1","7.68.0-1ubuntu1","7.68.0-1ubuntu2","7.68.0-1ubuntu2.1","7.68.0-1ubuntu2.2","7.68.0-1ubuntu2.4","7.68.0-1ubuntu2.5","7.68.0-1ubuntu2.6","7.68.0-1ubuntu2.7","7.68.0-1ubuntu2.10","7.68.0-1ubuntu2.11","7.68.0-1ubuntu2.12","7.68.0-1ubuntu2.13","7.68.0-1ubuntu2.14","7.68.0-1ubuntu2.15","7.68.0-1ubuntu2.16","7.68.0-1ubuntu2.18"],"ecosystem_specific":{"binaries":[{"binary_name":"curl","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl3-gnutls","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl3-nss","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl4","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl4-nss-dev","binary_version":"7.68.0-1ubuntu2.19"},{"binary_name":"libcurl4-openssl-dev","binary_version":"7.68.0-1ubuntu2.19"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6237-1.json","cves_map":{"cves":[{"id":"CVE-2023-28321","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2023-28322","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"low"}]}],"ecosystem":"Ubuntu:20.04:LTS"}}},{"package":{"name":"curl","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.11?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.81.0-1ubuntu1.11"}]}],"versions":["7.74.0-1.3ubuntu2","7.74.0-1.3ubuntu3","7.80.0-3","7.81.0-1","7.81.0-1ubuntu1.1","7.81.0-1ubuntu1.2","7.81.0-1ubuntu1.3","7.81.0-1ubuntu1.4","7.81.0-1ubuntu1.6","7.81.0-1ubuntu1.7","7.81.0-1ubuntu1.8","7.81.0-1ubuntu1.10"],"ecosystem_specific":{"binaries":[{"binary_name":"curl","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl3-gnutls","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl3-nss","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl4","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl4-gnutls-dev","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl4-nss-dev","binary_version":"7.81.0-1ubuntu1.11"},{"binary_name":"libcurl4-openssl-dev","binary_version":"7.81.0-1ubuntu1.11"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6237-1.json","cves_map":{"cves":[{"id":"CVE-2023-28321","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2023-28322","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"low"}]}],"ecosystem":"Ubuntu:22.04:LTS"}}}],"schema_version":"1.7.3"}