GHSA-3VPC-4P9P-47HC
Vulnerability from github – Published: 2024-10-22 18:15 – Updated: 2024-10-22 18:15
VLAI
Summary
curl_cffi bundles a version of libcurl affected by High Severity vulnerability
Details
Summary
curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0
Details
HIGH severity vulnerability in curl and libcurl: announcement Details are still unknown, but seems it will be a major issue as it's advertised by curl devs as "probably the worst curl security flaw in a long time". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0
PoC
Resolution
Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.4"
},
"package": {
"ecosystem": "PyPI",
"name": "curl-cffi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0b6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-22T18:15:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\ncurl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl\u003c8.4.0\n\n### Details\nHIGH severity vulnerability in curl and libcurl: [announcement](https://github.com/curl/curl/discussions/12026#discussioncomment-7195548)\nDetails are still unknown, but seems it will be a major issue as it\u0027s advertised by curl devs as \"_probably the worst curl security flaw in a long time_\".\nA patched version (8.4.0) and details will be published around 06:00 UTC on October 11.\ncurl_cffi wheels on PyPI ship with libcurl 7.84.0\n\n### PoC\n[https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h](https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h)\n\n### Resolution\n\nVersions after 0.7 bundles with `libcurl\u003e=8.5`, which is not affected by this issue.\n",
"id": "GHSA-3vpc-4p9p-47hc",
"modified": "2024-10-22T18:15:17Z",
"published": "2024-10-22T18:15:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-3vpc-4p9p-47hc"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7xw9-w465-6x42"
},
{
"type": "PACKAGE",
"url": "https://github.com/lexiforest/curl_cffi"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "curl_cffi bundles a version of libcurl affected by High Severity vulnerability"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…