How serious is CVE-2023-27533?

This vulnerability has a CVSS score of 8.8 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2023-27533?

Yes, proof-of-concept exploit code for CVE-2023-27533 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2023-27533?

CVE-2023-27533 affects haxx curl. Check the full CVE details for specific version information.

How do I fix CVE-2023-27533?

To remediate CVE-2023-27533, check for security patches from haxx. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2023-27533

High

|8.8

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker can exploit a vulnerability in curl to send malicious commands during TELNET communication, potentially allowing them to execute arbitrary code on the system. This can happen if an application using curl accepts user input without properly checking it, making it particularly risky for applications that rely on user-provided data.

Technical Description

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,789($1K-$5K)

Vendor Response

Grade FPatched in 1051 days

Quick Information

Published

Mar 30, 2023

almost 3 years ago

Last Modified

Feb 13, 2026

7 days ago

Vendor

haxx

Product

curl

Related Vulnerabilities

CVE-2023-28322Low

This vulnerability allows an attacker to potentially send incorrect data during an HTTP POST request if the same connection handle was previously used for a PUT request, which could lead to unexpected application behavior. It mainly affects applications that reuse connection handles without properly resetting them, making it important for developers to be cautious when switching between different types of requests.

CVE-2023-23915Medium

This vulnerability allows an attacker to potentially intercept sensitive information during data transfers because the curl tool may fail to upgrade certain HTTP requests to secure HTTPS when multiple requests are made at the same time. This issue occurs only when using curl versions prior to 7.88.0 and can lead to unprotected data being sent over the internet instead of the intended secure connection.

CVE-2022-43551High

An attacker can trick curl into using an insecure HTTP connection instead of the intended secure HTTPS by manipulating the URL with special characters that confuse the software's security checks. This vulnerability occurs when the URL contains IDN characters that are converted to ASCII, allowing the attacker to bypass the HSTS protection that should enforce secure connections.

CVE-2022-32221Critical

This vulnerability allows an attacker to manipulate data sent in a POST request by exploiting a flaw in how the curl library handles reused connections, potentially leading to the wrong data being sent or causing the application to crash. It occurs when a connection that was previously used for a PUT request is reused for a POST request without properly resetting the data handling, which could happen in applications that frequently switch between these types of requests.

CVE-2022-42916High

This vulnerability allows an attacker to trick curl into using an insecure HTTP connection instead of the intended secure HTTPS connection by manipulating the URL with special characters. This can happen when the URL includes international domain names that get converted to ASCII, making it possible for the attacker to bypass security checks designed to enforce HTTPS.