Miggo Logo
Miggo Vulnerability Database
CVE-2023-27534

CVE-2023-27534: A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~)...

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-27534
GHSA ID
GHSA-4j25-c9rf-fp5f
EPSS Score
0.28566%
CWE
CWE-22
Published
3/30/2023
Updated
3/17/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly points to an issue in SFTP path handling related to the tilde (~) character. The provided commit 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 modifies the Curl_getworkingpath function in lib/curl_path.c. The patch diff shows a change in the conditional logic for SFTP path resolution. Specifically, the condition for identifying a path relative to the home directory was changed from a loose check (working_path[1] == '~') to a stricter check !memcmp(working_path, "/~/", 3). This directly addresses the described vulnerability where a tilde used as a prefix (e.g., /~foo) was incorrectly processed. The function Curl_getworkingpath is the one that processes the user-provided path and constructs the final path to be used, making it the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*t* tr*v*rs*l vuln*r**ility *xists in *url <*.*.* S*TP impl*m*nt*tion **us*s t** til** (~) ***r**t*r to ** wron*ly r*pl**** w**n us** *s * pr**ix in t** *irst p*t* *l*m*nt, in ***ition to its int*n*** us* *s t** *irst *l*m*nt to in*i**t* * p*t* r*

Reasoning

T** vuln*r**ility **s*ription *l**rly points to *n issu* in S*TP p*t* **n*lin* r*l*t** to t** til** (~) ***r**t*r. T** provi*** *ommit `****************************************` mo*i*i*s t** `*url_**tworkin*p*t*` *un*tion in `li*/*url_p*t*.*`. T** p*