This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 18%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Tenable Vulnerability scanner is detectong a CURL vulnerable version... Microsoft best practice Recomendation states that this package should not be upgraded manually, because that could break Windows update processes.
Tenable Vulnerability: Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)
Reference: https://www.tenable.com/plugins/nessus/181409
Solution Proposed: Upgrade Curl to version 8.3.0 or later
Any idea when Microsoft is going to release CURL Version 8.3.0 as a fix for Windows 10 and Windows 11 OS vulnerability CVE-2023-38039?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 55.00000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Tenable Vulnerability:Curl 7.89 < 8.4.0 Heap Buffer Overflow
Plugin :182875
Any idea when Microsoft is going to release CURL Version 8.4.0
Plugin Output:
Path : C:\Windows\SysWOW64\curl.exe
Installed version : 8.0.1.0
Fixed version : 8.4.0
Path : C:\Windows\System32\curl.exe
Installed version : 8.0.1.0
Fixed version : 8.4.0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 9%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
This is an issue with Microsoft's use of open source solutions, without integration of the open source patching. I'd really like to know when/if they plan on fixing this, or if anyone has found a viable open source way of fixing this.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 68%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Just got answer from MS Support:
Microsoft is actively working to release version 8.4.0 of curl.exe in a future Windows update to address CVE-2023-38039 and CVE-2023-38545.
For further details, including answers to anticipated questions and workarounds, please review:
Microsoft Security Update Gulde: CVE-2023-38039 | Hackerone: CVE-2023-38039 HTTP headers eat all memory
Microsoft Security Update Gulde: CVE-2023-38545 | MITRE: CVE-2023-38545 SOCKS5 heap buffer overflow
Wait now for answer if it is included in the November Updates
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 35%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
You are correct November Patches finnally include this CURL Update, Wjat I am going to do going forward is to Re-cast in Tenable for 1 month every time a new CURL is released, it seems that Microsoft takes 1 patching and even 2 cycles to provide an upgrade of CURL. but November patch does include the latest CURM upgrade.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 49%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Another vulnerability has been released for CURL on October 11th.
Still not even an acknowledgment from MS about its existence and no update in the October cumulative for the previous one.
Really could do with a real person saying something helpful rather than an AI bot that knows nothing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 57.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
So... I saw this article on Monday. I too am seeing these vulnerabilities in my Nessus scans and I need to know how to fix it... is this a manual fix that I need to get from "cURL or is MS going to push a fix as suggested in the article?
https://thehackernews.com/2023/10/security-patch-for-two-new-flaws-in.html
I don't know. The provided context does not contain information about when Microsoft will release CURL version 8.3.0 as a fix for the Windows 10 and Windows 11 OS vulnerability CVE-2023-38039.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 52%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Same issue. Would be nice if MS would at least update it to a version or two behind at a minimum rather than being on a version that is over a year old.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 63%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Same issue. Is there any update on the patch release. 8.4 on windows 11
In the November Windows Updates Curl 8.4 is included, so after the Update the problem is solved :-)