Login Sign Up

CVE-2023-28319

7.5 HIGH

📋 TL;DR

CVE-2023-28319 is a use-after-free vulnerability in curl/libcurl versions before 8.1.0 that occurs during SSH server public key verification. When verification fails, curl frees memory containing the fingerprint hash but then includes that freed data in error messages, potentially leaking sensitive heap data. This affects any application using vulnerable curl/libcurl versions with SSH key verification enabled.

💻 Affected Systems

Products:
  • curl
  • libcurl
Versions: All versions before 8.1.0
Operating Systems: All operating systems where curl/libcurl is installed
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using SSH connections with public key hash verification enabled via CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 or similar options.

📦 What is this software?

Clustered Data Ontap by Netapp

View all CVEs affecting Clustered Data Ontap →

Curl by Haxx

curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.

Learn more about Curl →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Ontap Antivirus Connector by Netapp

View all CVEs affecting Ontap Antivirus Connector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive heap memory contents containing passwords, keys, or other application data could be exposed in error messages visible to users or logged in clear text.

🟠

Likely Case

Limited information disclosure of heap memory fragments, potentially revealing some application state or configuration details.

🟢

If Mitigated

No data leakage if proper error handling prevents exposure of error messages or if SSH key verification is not used.

🌐 Internet-Facing: MEDIUM - Requires SSH connections with key verification enabled, which is less common than HTTP but still used in many automation scenarios.
🏢 Internal Only: MEDIUM - Similar risk profile as internet-facing, but exposure scope is limited to internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires triggering SSH key verification failure, which can be done by connecting to a server with mismatched keys. Proof-of-concept code is available in public disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: curl 8.1.0 and later

Vendor Advisory: https://curl.se/docs/CVE-2023-28319.html

Restart Required: Yes

Instructions:

1. Download curl 8.1.0 or later from https://curl.se/download.html
2. Compile and install according to your platform instructions
3. Restart any services or applications using libcurl
4. Verify the update with 'curl --version'

🔧 Temporary Workarounds

Disable SSH key hash verification

all

Avoid using CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and related options for SSH key verification

# Modify application code to remove CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 usage

Use alternative SSH verification methods

all

Use known_hosts file verification instead of hash-based verification

# Configure curl to use known_hosts file: curl_easy_setopt(curl, CURLOPT_SSH_KNOWNHOSTS, "/path/to/known_hosts")

🧯 If You Can't Patch

  • Disable SSH connections entirely in affected applications
  • Implement network segmentation to restrict SSH connections to trusted servers only

🔍 How to Verify

Check if Vulnerable:

Run 'curl --version' and check if version is below 8.1.0. Also check if application code uses SSH key hash verification options.

Check Version:

curl --version | head -1

Verify Fix Applied:

Confirm curl version is 8.1.0 or higher with 'curl --version'. Test SSH connections with key verification to ensure no memory errors occur.

📡 Detection & Monitoring

Log Indicators:

  • Error messages containing unusual hex strings or memory addresses after SSH connection failures
  • Application crashes or memory corruption errors during SSH operations

Network Indicators:

  • Failed SSH connections with curl/libcurl user agents
  • Unusual SSH connection patterns to trigger verification failures

SIEM Query:

source="application.logs" AND "curl" AND "SSH" AND ("verification failed" OR "fingerprint")

📊 Metadata

CVE ID: CVE-2023-28319
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-416
Published: May 26, 2023
Last Updated: January 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28319, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)