CVE-2023-27534: A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the…

Siemens SINEC NMS ICS Advisory ## Siemens SINEC NMS Release DateFebruary 15, 2024 Alert CodeICSA-24-046-15 As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF ## 1. EXECUTIVE SUMMARY - CVSS v3 9.8 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Siemens - Equipment: SINEC NMS - Vulnerabilities: Out-of-bounds Read, Inadequate Encryption Strength, Double Free, Use After Free, NULL Pointer Dereference, Improper Input Validation, Missing Encryption of Sensitive Data, Allocation of Resources Wit

CVE-2023-27534 [HIGH] Oracle Oracle Hyperion Risk Matrix: Infrastructure (curl) — CVE-2023-27534 Oracle Oracle Hyperion Risk Matrix: Infrastructure (curl) vulnerability CVE: CVE-2023-27534 CVSS: 8.8 Protocol: SFTP Remote exploit: No Affected versions: Network Advisory: cpuoct2023 (OCT 2023)

CVE-2023-27534 [HIGH] CWE-22 curl: SFTP path ~ resolving discrepancy curl: SFTP path ~ resolving discrepancy A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. Statement: In a containerized environment running SELinux in enforcing mode, such as Red Hat OpenShift Container Platform, this vulnerability does not allow an attacker to escape the boundary of a container. In this case no additional access is gained, there is an additional (but more complicated step) to look at

CVE-2023-27533 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. (CVE-2023-27533) Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering. (CVE-2023-27534) Harry Sintonen discovered that curl incorrectly reused certain FTP connections. This could lead to the wrong credentials being reused, contrary to expectations. (CVE-2023-27535) Harry Sintonen discovered that curl incorrectly reused connections when the GSS delegation

CVE-2023-27534 [HIGH] CWE-22 A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element in addition to its intend A path traversal vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner hackerone: hackerone Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn.microso

CVE-2023-27534 [HIGH] CVE-2023-27534: curl - A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes ... A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. Scope: local bookworm: resolved (fixed in 7.88.1-7) bullseye: resolved (fixed in 7.74.0-1.3+deb11u8) forky: resolved (fixed in 7.88.1-7) sid: resolved (fixed in 7.88.1-7) trixie: resolved (fixed in 7.88.1-7)

CVE-2023-27534 [HIGH] CWE-22 GHSA-4j25-c9rf-fp5f: A path traversal vulnerability exists in curl <8 A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-27534 [HIGH] CVE-2023-27534: A path traversal vulnerability exists in curl <8 A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-27533 [HIGH] curl vulnerabilities curl vulnerabilities Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. (CVE-2023-27533) Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering. (CVE-2023-27534) Harry Sintonen discovered that curl incorrectly reused certain FTP connections. This could lead to the wrong credentials being reused, contrary to expectations. (CVE-2023-27535) Harry Sintonen discovered that curl incorrectly reused connections when the GSS delegation option had been changed. This could lead to the option being

CVE-2023-27534 [HIGH] CVE-2023-27534: SFTP path ~ resolving discrepancy CVE-2023-27534: SFTP path ~ resolving discrepancy ## Summary: libcurl `Curl_getworkingpath` function resolves `~` as remote users' home directory. This routine behaves in an undocumented way for `sftp` protocol. In particular it is said that `/~/` is converted to remote user's home directory (*1), while this isn't how the function actually behaves. This can lead to unexpected final path for the `sftp` access, and allow an attacker with partial path access to gain access to untended remote system path locations. ## Steps To Reproduce: 1. access `sftp://host/~a../other/file` 2. remote path will result as: `/home/user/../other/file` It's notable that when `~a..` path component is checked for path traversal via normal unix path resolving rules, the path component is **not** considered acce

CVE-2023-27534 [HIGH] CVE-2023-27534: SFTP path ~ resolving discrepancy CVE-2023-27534: SFTP path ~ resolving discrepancy curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. ## Hackerone report #1892351