Cyber Resilience

CVE-2023-38545

CriticalUpdated

Published: 18 October 2023

Published
18 October 2023
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2625 96.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38545 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Netapp Active Iq Unified Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

This flaw is a heap-based buffer overflow in curl that occurs during the SOCKS5 proxy handshake. When curl is instructed to pass a hostname longer than 255 bytes to the proxy for remote resolution, a logic error tied to a slow handshake can cause the oversized hostname from the supplied URL to be copied into a heap buffer instead of the intended resolved address.

An unauthenticated remote attacker can trigger the overflow simply by causing curl to perform a SOCKS5 connection to a URL containing an excessively long hostname. Successful exploitation can result in arbitrary code execution, information disclosure, or denial of service, consistent with the CVSS 9.8 rating and CWE-787 classification.

Public advisories and patch information are available at the referenced URLs, including the official curl project entry at https://curl.se/docs/CVE-2023-38545.html and related vendor disclosures.

The associated EPSS score has remained in the 0.26–0.28 range with no pronounced post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done…

more

by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haxx
libcurl
7.69.0 — 8.4.0
fedoraproject
fedora
37
netapp
active iq unified manager
all versions
netapp
oncommand insight
all versions
netapp
oncommand workflow automation
all versions
microsoft
windows 10 1809
≤ 10.0.17763.5122
microsoft
windows 10 21h2
≤ 10.0.19044.3693
microsoft
windows 10 22h2
≤ 10.0.19045.3693
microsoft
windows 11 21h2
≤ 10.0.22000.2600
microsoft
windows 11 22h2
≤ 10.0.22621.2715
+3 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References