-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability (CVE-2023-28321) description states that curl's private wildcard matching function incorrectly handled International Domain Name (IDN) hosts, allowing patterns like x* to match puny-coded names (e.g., xn--example).
https://github.com/curl/curl/commit/199f2d440d8659b42.lib/vtls/hostcheck.c, specifically the static function hostmatch and the unit tests for Curl_cert_hostcheck which calls hostmatch.hostmatch shows that the old code had a complex logic for handling various wildcard patterns (e.g., a*, *b, a*b). This logic was removed and replaced with a stricter check that only allows wildcards in the form *.domain.com.hostmatch is identified as the vulnerable code because it permitted the incorrect matching of patterns like x* against puny-coded IDN names (which start with xn--). The strncasecompare(pattern, "xn--", 4) check in the old code was insufficient to prevent this specific type of mismatch with partial wildcards.hostmatch is the function that contains the flawed logic. Curl_cert_hostcheck is the non-static function that calls hostmatch and would be the more likely candidate to appear in a runtime profile as it's the entry point for this custom certificate checking logic within libcurl for specific TLS backends.
Both functions are listed: hostmatch for containing the core vulnerability, and Curl_cert_hostcheck as the direct caller and runtime indicator.KEV Misses 88% of Exploited CVEs- Get the report