{"id":"CURL-CVE-2023-28321","summary":"IDN wildcard match","details":"curl supports matching of wildcard patterns when listed as \"Subject\nAlternative Name\" in TLS server certificates. curl can be built to use its own\nname matching function for TLS rather than one provided by a TLS library. This\nprivate wildcard matching function would match IDN (International Domain Name)\nhosts incorrectly and could as a result accept patterns that otherwise should\nmismatch.\n\nIDN hostnames are converted to puny code before used for certificate\nchecks. Puny coded names always start with `xn--` and should not be allowed to\npattern match, but the wildcard check in curl could still check for `x*`,\nwhich would match even though the IDN name most likely contained nothing even\nresembling an `x`.","aliases":["CVE-2023-28321"],"modified":"2025-05-15T17:48:29Z","published":"2023-05-17T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1950627","CWE":{"id":"CWE-295","desc":"Improper Certificate Validation"},"www":"https://curl.se/docs/CVE-2023-28321.html","affects":"both","URL":"https://curl.se/docs/CVE-2023-28321.json","package":"curl","last_affected":"8.0.1","severity":"Low","award":{"currency":"USD","amount":"480"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.12.0"},{"fixed":"8.1.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"9631fa740708b1890197fad01e25b34b7e8eb80e"},{"fixed":"199f2d440d8659b42670c1b796220792b01a97bf"}]}],"versions":["8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2023-28321.json","vanir_signatures":[{"signature_type":"Line","id":"CURL-CVE-2023-28321-22907c43","digest":{"threshold":0.9,"line_hashes":["207344050218123955699041356600465311264","176450998410173016986681428109077048181","96678665506437293532820654154268634943","244917099847138194886333478503103950628","290144097704787677007989522158933197135","202219654548396747986612148741026476277","106261824755708513465249537150556334520","292781301319785374301973628429098761201","182884367375154701311730416210809079942","184850878051911525171318602240408755679","70872935137333767821928064781034318777","3218818267648832516109818594963966423","259002975747539925722061061352013899141","119503835549450692804905006096445230805","237906647485658698509995646830117046063","64558883178164103185559295669389519803","43332104367442266067511898126447375423","220485707103904345636038975245330103165","32938390744849936639465126910748883463","84499700343107277191071546829722903595","174494594992661535818975793588245730124","18750924031455055675408890960159457343","70030276913893605866929172575700190452","297133321672383619089091827377126209520","13527663011686220506134752011245117688","209178442964219701653566614313755601921","293711842609800845236651907376106789971","14533965421150270866906735132835572603","267120981018669293215323945650870185363","196391514796541536002487959221554985156","227015790769795376859760859938160102021","316663134325251650730551586338244840937","117758670353837784665922420908474672441","224605571622261455075235519821174555378","20187487501335244557122662571306469028","181801461867350828320927042053029239737","236451809119585836700513312873152680197","29513611501008744280691819268018259285","145529806693255241543554255050574402265","79088044851467495900347924277634283669","287269455687870498246737122626929890878","187152424406849004443345873939226419529","128390619606535394460267015126923126753","215332077111943297502664971507561531214","315765897946706647711754345569895997735","323163036058898178658777904662209436316","106341659433086469923964117145680371865","176671770801296029345261879167953368048","149904613802364529128234921182639223146"]},"deprecated":false,"target":{"file":"tests/unit/unit1397.c"},"source":"https://github.com/curl/curl.git/commit/199f2d440d8659b42670c1b796220792b01a97bf","signature_version":"v1"},{"signature_type":"Function","id":"CURL-CVE-2023-28321-8ed8cea1","digest":{"length":997,"function_hash":"17045556477640101631476317217175158095"},"deprecated":false,"target":{"file":"lib/vtls/hostcheck.c","function":"hostmatch"},"source":"https://github.com/curl/curl.git/commit/199f2d440d8659b42670c1b796220792b01a97bf","signature_version":"v1"},{"signature_type":"Line","id":"CURL-CVE-2023-28321-c9a94bbc","digest":{"threshold":0.9,"line_hashes":["202480558793927032443896057348026301333","273735333512926019706092675697435160329","34575677330080548715188934758914392689","161833313914807409501102786217462292561","238242421435260085330126269803896816368","273956007976646414983790013364135847729","230972920637210048503660159829816561017","259847689724216513183948545756757181743","150274663693921415380239290079727876828","65363549928569964557700014265241454880","150200142490441987707881659854018231823","173788023322784971571172798032121242752","132679290044646887355311276072621944872","25619242862421188163039260771649062645","144281374625316198945495567413221501820","99020688279056881216991553987430980562","14968558949702634202354716346518045466","255582497584182576484126104750823177411","85790513418043162373358032904296192892","99212506937494681883937530713434009897","163907589584131067719163211430603514158","178650692711719712051589754764022254573","4542696306003919669504041750104887642","304976047544308717997234158838631226087","13064021874927037628782388118336597786","16708449399330014789651151293084031438","695481965351811090486431716371694364","329086040007228194495918905846678174541","219827008063691352413220017409881238791","178318043334528255561670293008793434335","92308745483557585579030948033692739499","308741393931263726980266449695143080759","91327533059102227972066396834652786653","76123061512330118630165763077009240403","45687453402880191195503626419558990401","211643802336353119040804615758864243236","283446933028853935968841514268993513422","235139287545283987764083845890182220162","176748493745458278603251314540948026316","162666952330111013622416839259305747227"]},"deprecated":false,"target":{"file":"lib/vtls/hostcheck.c"},"source":"https://github.com/curl/curl.git/commit/199f2d440d8659b42670c1b796220792b01a97bf","signature_version":"v1"}]}}],"schema_version":"1.7.3","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}