Update of Curl.exe for Windows Server 2019 - CVE-2023-32001

Sharma, Raju 80 Reputation points
2023-08-29T09:35:26.4433333+00:00

Hi Support team

Nessus found a vulnerability with curl

  • Curl Arbitrary File Write 7.x >= 7.84.0 / 8.x <= 8.1.2 (CVE-2023-32001) with Windows Server

We have 60 plus Windows Server 2019, and our current version of curl is 8.0.1. Kindly advise when are you going to release next patch to fix this vulnerability.

Thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,333 questions
{count} votes

Accepted answer
  1. Brad Bateman 85 Reputation points
    2023-08-31T12:08:42.7633333+00:00

    After some research, it looks like this CVE has been retracted by the CURL security team in Aug 2023, and the CVE is in Rejected status now. So this vulnerability should be able to be ignored.

    References:

    https://curl.se/docs/CVE-2023-32001.html "As of August 2023, the curl security team has retracted this issue and we no longer consider this a curl security flaw."

    https://nvd.nist.gov/vuln/detail/CVE-2023-32001 "REJECTED CVE status"

    https://www.cve.org/ResourcesSupport/FAQs "A CVE Record listed as “REJECT” is a CVE Record that is not accepted as a CVE Record… As a rule, REJECT CVE Records should be ignored"

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. John Knepler 5 Reputation points
    2023-10-24T20:10:35.5366667+00:00

    Current Nessus scan shows this as being CVE-2023-38039 as stated above. This is different than CVE-2023-32001. It would nice for Microsoft to actually provide an update for this as it has been an issue for a while. Either way, being on version 7.84 and not on the latest or close to the latest poses an issue just of itself as it was released Jun 27 2022. The latest version of 8.4 having been just release Oct 11 2023. How is MS not at least updating to a build or two behind? I have seen a couple of other threads with the 38039 also listed on MS forums (one example below). None of them have shown or listed any intent of MS releasing an update.

    [https://learn.microsoft.com/en-us/answers/questions/1387774/curl-7-84-(-8-2-1-header-dos-(cve-2023-38039)-for](https://learn.microsoft.com/en-us/answers/questions/1387774/curl-7-84-(-8-2-1-header-dos-(cve-2023-38039)-for)

    1 person found this answer helpful.

  2. Bruce Bading 15 Reputation points
    2023-10-26T19:07:30.0666667+00:00

    BFB Security has been in touch with the Microsoft Security Response Team regarding the vulnerability. We have received the following response and are awaiting further information from Microsoft as to the expected date of the KB release. Further as with any open source, Microsoft will need to ensure there is a patch cadence as new vulnerabilities are found and new CVEs released.

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38545

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039

     

    As noted there, Microsoft is planning to update these open-source components in Windows. Please watch these two sites for updates.

     

    Thank you again for working with MSRC.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.