CVE-2023-27533: 
MySQL vulnerability analysis and mitigation

A vulnerability (CVE-2023-27533) was discovered in curl versions prior to 8.0 affecting the TELNET protocol implementation. The vulnerability was discovered by Harry Sintonen and disclosed on March 20, 2023. The issue affects curl's TELNET protocol communication functionality, specifically in how it handles usernames and telnet options during server negotiation (Curl CVE).

The vulnerability stems from insufficient input validation in curl's TELNET protocol implementation. Due to lack of proper input scrubbing, curl would pass on username and telnet options to the server as provided, allowing attackers to send content or perform option negotiation without the application's intended behavior. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD Database).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code on the system if an application allows user input. The vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). For some systems, like ONTAP 9, the vulnerability is only exploitable when TELNET is enabled (NetApp Advisory).

The vulnerability was fixed in curl version 8.0.0 by implementing proper input validation that only accepts ASCII username and telnet options. Users are recommended to upgrade to curl version 8.0.0 or later. For systems that cannot be immediately upgraded, it is recommended to implement proper TELNET username or option input filtering (Curl CVE).