CVE-2023-28321 Information
Description
An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as \Subject Alternative Name\ in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match but the wildcard check in curl could still check for x which would match even though the IDN name most likely contained nothing even resembling an x.
Reference
https://hackerone.com/reports/1950627
An
improper
certificate
validation
vulnerability
exists
in
curl
<v8.1.0
in
the
way
it
supports
matching
of
wildcard
patterns
when
listed
as
\Subject
Alternative
Name
in
TLS
server
certificates.
curl
can
be
built
to
use
its
own
name
matching
function
for
TLS
rather
than
one
provided
by
a
TLS
library.
This
private
wildcard
matching
function
would
match
IDN
(International
Domain
Name)
hosts
incorrectly
and
could
as
a
result
accept
patterns
that
otherwise
should
mismatch.
IDN
hostnames
are
converted
to
puny
code
before
used
for
certificate
checks.
Puny
coded
names
always
start
with
xn--
and
should
not
be
allowed
to
pattern
match
but
the
wildcard
check
in
curl
could
still
check
for
x*
which
would
match
even
though
the
IDN
name
most
likely
contained
nothing
even
resembling
an
x.