CVE-2023-27537: 
MySQL vulnerability analysis and mitigation

A double free vulnerability (CVE-2023-27537) was discovered in libcurl versions prior to 8.0.0. The vulnerability was introduced in curl 7.88.0 and affected versions up to and including 7.88.1. The issue arose when sharing HSTS (HTTP Strict Transport Security) data between separate handles, which was implemented without proper consideration for thread safety. This vulnerability was discovered on March 8, 2023, and was publicly disclosed on March 20, 2023 (Curl Advisory).

The vulnerability stems from missing mutexes or thread locks when sharing HSTS data between separate handles across different threads. The lack of proper thread synchronization mechanisms could result in a double-free or use-after-free condition. The vulnerability is classified as CWE-415 (Double Free) with a CVSS v3.1 base score of 5.9 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The impact of this vulnerability is considered low due to several factors: it affects a not widely used functionality, the timing necessary to trigger the vulnerability needs to match fairly exactly, and exploiting this vulnerability for anything beyond a denial of service is considered difficult (Curl Advisory).

The primary recommendation is to not share HSTS data between threads. The issue was fixed in curl version 8.0.0 with a documentation update clarifying that sharing HSTS between threads is not expected to work. Users are advised to upgrade to curl version 8.0.0 or later to address this vulnerability (Curl Advisory).