Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2023-28321

Public on 2023-05-17
Modified on 2024-02-01
Description

curl supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch.

IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

Severity
Medium
See what this means
CVSS v3 Base Score
5.6
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core curl 2023-08-31 22:29 ALAS2-2023-2230
Amazon Linux 2023 curl 2023-07-19 21:24 ALAS2023-2023-270

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD CVSSv3 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Red Hat: CVE-2023-28321 Mitre: CVE-2023-28321 FAQs regarding Amazon Linux ALAS/CVE Severity