On March 20, 2023 curl turns 25 years old. Celebrate with us online.
curl / Docs / Security Problems / SFTP path ~ resolving discrepancy

CVE-2023-27534: SFTP path ~ resolving discrepancy

Project curl Security Advisory, March 20th 2023 - Permalink

VULNERABILITY

curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.

We are not aware of any exploit of this flaw.

INFO

CVE-2023-27534 was introduced in commit ba6f20a244, shipped in curl 7.18.0.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

THE SOLUTION

A fix for CVE-2023-27534

RECOMMENDATIONS

A - Upgrade curl to version 8.0.0

B - Apply the patch to your local version

C - Avoid using tilde in SFTP URL paths.

TIMELINE

This issue was reported to the curl project on March 5, 2023. We contacted distros@openwall on March 13, 2023.

curl 8.0.0 was released on March 20 2023, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!