CVE-2023-28321: 
MySQL vulnerability analysis and mitigation

CVE-2023-28321 is a vulnerability discovered in curl's certificate validation functionality that was disclosed on May 17, 2023. The issue affects curl versions 7.12.0 to 8.0.1, where the wildcard matching function incorrectly handled IDN (International Domain Name) hosts during certificate validation. This vulnerability was first introduced when IDN support was added to curl in June 2004 (Curl Advisory).

The vulnerability stems from curl's private wildcard matching function used for TLS certificate validation when built with OpenSSL, Schannel, or Gskit. The function would incorrectly match IDN hostnames that are converted to punycode (starting with xn--), allowing pattern matches that should have been rejected. For example, the function could match patterns starting with 'x*', even when the IDN name contained no resemblance to 'x'. The vulnerability has been assigned a CVSS score of 5.6 (Medium) with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L (Curl Advisory, NetApp Advisory).

The improper certificate validation could lead to the disclosure of sensitive information, addition or modification of data, or potential Denial of Service (DoS). However, the impact is somewhat mitigated by two factors: Certificate Authorities for public Internet certificates are not allowed to use 'partial' wildcards, and in many cases, the control of hostnames and wildcards in certificates are managed by the same entity (Curl Advisory).

The vulnerability was fixed in curl version 8.1.0 by completely removing support for 'partial' matches and only supporting '*.' patterns for all hostnames, whether IDN or not. Users are recommended to upgrade to curl version 8.1.0 or later. If upgrading is not immediately possible, there are no known workarounds (Curl Advisory).