Home > Vulnerability Database > CVE-2023-28321

Mend.io Vulnerability Database

CVE-2023-28321

Good to know:

Date: May 26, 2023

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.

Language: C

Severity Score

5.9

Related Resources (18)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28321

Url: https://support.apple.com/kb/HT213843

Url: http://seclists.org/fulldisclosure/2023/Jul/52

Url: https://github.com/curl/curl/commit/199f2d440d8659b42

Url: https://access.redhat.com/security/cve/CVE-2023-28321

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/

Url: https://support.apple.com/kb/HT213844

Url: https://seclists.org/oss-sec/2023/q2/167

Url: https://support.apple.com/kb/HT213845

Url: https://security.gentoo.org/glsa/202310-12

Url: https://security-tracker.debian.org/tracker/CVE-2023-28321

Url: https://security.netapp.com/advisory/ntap-20230609-0009/

Url: https://hackerone.com/reports/1950627

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/

Url: https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html

Url: http://seclists.org/fulldisclosure/2023/Jul/48

Url: http://seclists.org/fulldisclosure/2023/Jul/47

Url: https://www.mend.io/vulnerability-database/CVE-2023-28321

Severity Score

5.9

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

Upgrade Version

Upgrade to version curl-8_1_0

Learn More

CVSS v3.1

Base Score:	5.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28321

Good to know:

Date: May 26, 2023

Language: C

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?