{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2022-27782: check additional TLS or SSH connection parameters that should\n have prohibited connection reuse\n- CVE-2023-27534: fix SFTP path '~' resolving discrepancy\n- fix read off end of array for SCP home directory case", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385", "url": "https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/advisories/2023/clsa-2023_1697816385.json" } ], "tracking": { "current_release_date": "2026-05-05T11:18:44Z", "generator": { "date": "2026-05-05T11:18:44Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2023:1697816385", "initial_release_date": "2023-10-20T11:39:47Z", "revision_history": [ { "date": "2023-10-20T11:39:47Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-05T11:18:44Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "curl: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product": { "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_id": "curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl@7.29.0-59.el7_9.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_id": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.el7_9.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.el7_9.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.el7_9.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_id": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.el7_9.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product": { "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_id": "curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl@7.29.0-59.el7_9.1.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product_id": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.el7_9.1.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product_id": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.el7_9.1.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product_id": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.el7_9.1.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product_id": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.el7_9.1.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" }, "product_reference": "curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686" }, "product_reference": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686" }, "product_reference": "libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" }, "product_reference": "curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-27534", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ], "known_affected": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-27534" }, { "category": "external", "summary": "https://hackerone.com/reports/1892351", "url": "https://hackerone.com/reports/1892351" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202310-12", "url": "https://security.gentoo.org/glsa/202310-12" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230420-0012/", "url": "https://security.netapp.com/advisory/ntap-20230420-0012/" } ], "release_date": "2023-03-30T20:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2023-10-20T11:39:47Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385", "product_ids": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385" }, { "category": "none_available", "details": "Affected", "product_ids": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2022-27782", "notes": [ { "category": "description", "text": "libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ], "known_affected": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-27782" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/03/20/6", "url": "http://www.openwall.com/lists/oss-security/2023/03/20/6" }, { "category": "external", "summary": "https://hackerone.com/reports/1555796", "url": "https://hackerone.com/reports/1555796" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202212-01", "url": "https://security.gentoo.org/glsa/202212-01" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20220609-0009/", "url": "https://security.netapp.com/advisory/ntap-20220609-0009/" }, { "category": "external", "summary": "https://www.debian.org/security/2022/dsa-5197", "url": "https://www.debian.org/security/2022/dsa-5197" } ], "release_date": "2022-06-02T14:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2023-10-20T11:39:47Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385", "product_ids": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2023:1697816385" }, { "category": "none_available", "details": "Affected", "product_ids": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "CentOS-7:curl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.i686", "CentOS-7:libcurl-devel-0:7.29.0-59.el7_9.1.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }