CVE-2023-28320

ADVISORY - nist

Summary

A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using alarm() and siglongjmp(). When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.

EPSS Score⁠: 0.00641 (0.697)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-362⁠

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-400⁠

Uncontrolled Resource Consumption

ADVISORY - redhat

CWE-662⁠

Improper Synchronization

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.