{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-27534", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2024-08-02T12:16:35.536Z", "dateReserved": "2023-03-02T00:00:00", "datePublished": "2023-03-30T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-03-17T12:05:55.110367"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user."}], "affected": [{"vendor": "n/a", "product": "https://github.com/curl/curl", "versions": [{"version": "Fixed in 8.0.0", "status": "affected"}]}], "references": [{"url": "https://hackerone.com/reports/1892351"}, {"name": "FEDORA-2023-7e7414e64d", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"}, {"url": "https://security.netapp.com/advisory/ntap-20230420-0012/"}, {"name": "GLSA-202310-12", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202310-12"}, {"name": "[debian-lts-announce] 20240317 [SECURITY] [DLA 3763-1] curl security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Path Traversal (CWE-22)", "cweId": "CWE-22"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:35.536Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/1892351", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-7e7414e64d", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"}, {"url": "https://security.netapp.com/advisory/ntap-20230420-0012/", "tags": ["x_transferred"]}, {"name": "GLSA-202310-12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202310-12"}, {"name": "[debian-lts-announce] 20240317 [SECURITY] [DLA 3763-1] curl security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "matchCriteriaId": "326E6E4E-DA6B-4794-A6EE-0060C6D965E9", "versionEndIncluding": "7.88.1", "versionStartIncluding": "7.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:o:broadcom:brocade_fabric_operating_system_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "B2748912-FC54-47F6-8C0C-B96784765B8E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6770B6C3-732E-4E22-BF1C-2D2FD610061C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", "matchCriteriaId": "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FFF7106-ED78-49BA-9EC5-B889E3685D53", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", "matchCriteriaId": "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "56409CEC-5A1E-4450-AA42-641E459CC2AF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", "matchCriteriaId": "B06F4839-D16A-4A61-9BB5-55B13F41E47F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", "matchCriteriaId": "8497A4C9-8474-4A62-8331-3FE862ED4098", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D", "versionEndExcluding": "8.2.12", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32", "versionEndExcluding": "9.0.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user."}], "id": "CVE-2023-27534", "lastModified": "2024-03-27T14:54:34.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-30T20:15:07.427", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/1892351"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-12"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230420-0012/"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Daniel Stenberg and Harry Sintonen for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:3355", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "JBCS httpd 2.4.51.sp2", "release_date": "2023-06-05T00:00:00Z"}, {"advisory": "RHSA-2023:3354", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:8.0.1-1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-06-05T00:00:00Z"}, {"advisory": "RHSA-2023:3354", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.0.1-1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-06-05T00:00:00Z"}, {"advisory": "RHSA-2023:6679", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-26.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6679", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-26.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "curl: SFTP path ~ resolving discrepancy", "id": "2179069", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179069"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user."], "name": "CVE-2023-27534", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:3.1", "fix_state": "Out of support scope", "package_name": "rh-dotnet31-curl", "product_name": ".NET Core 3.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2023-03-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-27534\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27534\nhttps://curl.se/docs/CVE-2023-27534.html"], "statement": "In a containerized environment running SELinux in enforcing mode, such as Red Hat OpenShift Container Platform, this vulnerability does not allow an attacker to escape the boundary of a container. In this case no additional access is gained, there is an additional (but more complicated step) to look at files the user already has access to.\nThe upstream project (Curl) also rated this CVE as Low, see link in External References.\nIt is unlikely that Red Hat offerings are utilizing the SFTP feature of Curl, so the opportunity to exploit it may not exist. For those reasons Red Hat Product Security rates the impact as Low.", "threat_severity": "Low", "upstream_fix": "curl 8.0.0"}