Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-3vpc-4p9p-47hc: curl_cffi bundles a version of libcurl affected by High Severity vulnerability

Summary

curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0

Details

HIGH severity vulnerability in curl and libcurl: announcement Details are still unknown, but seems it will be a major issue as it’s advertised by curl devs as "probably the worst curl security flaw in a long time". A patched version (8.4.0) and details will be published around 06:00 UTC on October 11. curl_cffi wheels on PyPI ship with libcurl 7.84.0

PoC

https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h

Resolution

Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.

ghsa
#vulnerability#linux#git

Package

pip curl-cffi (pip)

Affected versions

<= 0.6.4

Patched versions

0.7.0b6

Description

Summary

curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0

Details

HIGH severity vulnerability in curl and libcurl: announcement
Details are still unknown, but seems it will be a major issue as it’s advertised by curl devs as "probably the worst curl security flaw in a long time".
A patched version (8.4.0) and details will be published around 06:00 UTC on October 11.
curl_cffi wheels on PyPI ship with libcurl 7.84.0

PoC

https://inspector.pypi.io/project/curl-cffi/0.5.10b2/packages/56/ae/eb7d39ad234f1f44650b910757d5aa696feff413d327c8328223ce78cb76/curl_cffi-0.5.10b2-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl/curl_cffi/include/curl/curlver.h

Resolution

Versions after 0.7 bundles with libcurl>=8.5, which is not affected by this issue.

References

  • GHSA-3vpc-4p9p-47hc
  • GHSA-7xw9-w465-6x42

lexiforest published to lexiforest/curl_cffi

Oct 22, 2024

Published to the GitHub Advisory Database

Oct 22, 2024

Reviewed

Oct 22, 2024

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution