QwikSec

Security Database

CVE

CWE

Training

CVE-2023-27534

Published: Mar 30, 2023

Modified: Apr 23, 2025

PUBLISHED

Description

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

Vendor	Product	Versions
n/a	https://github.com/curl/curl	affected `Fixed in 8.0.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1892351

FEDORA-2023-7e7414e64d

vendor-advisory

https://security.netapp.com/advisory/ntap-20230420-0012/

vendor-advisory

[debian-lts-announce] 20240317 [SECURITY] [DLA 3763-1] curl security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.