The issue is resolved with April, 11th round of updates for all supported operating systems. (e.g., KB5025229 for Windows Server 2019, KB5025230 for Windows Server 2022.)
The inbox version of curl.exe
(located at %WinDir%\System32\curl.exe
) has been updated to version 8.0.1
which addresses CVE-2022-43552. Note that if some other software installed curl.exe
to another location, it needs to be updated separately.
Curl Use-After-Free < 7.87 (CVE-2022-43552)
Tenable Nessus Scan indicates that the built-in Windows curl program is vulnerable. Please suggest a remedy for this. Below are some details. The version of Curl installed on the remote host is prior to 7.87.0. It is therefore affected by a use-after-free vulnerability. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.
Path : C:\Windows\SysWOW64\curl.exe
Installed version : 7.83.1.0
Fixed version : 7.87.0
2 answers
Sort by: Most helpful
-
pronichkin 26 Reputation points
2023-04-11T22:19:27.76+00:00 -
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more