Advisory on curl Vulnerabilities CVE-2023-38545 and CVE-2023-38546
Incident Report for Pantheon Operations
Pantheon's engineering teams have conducted thorough audits and have taken all necessary precautions to mitigate the associated risk at the platform level.
Posted Oct 24, 2023 - 12:43 PDT
Pantheon is aware of the recent vulnerabilities reported in curl. As a precautionary measure, we are continuing to work proactively to mitigate impact on Pantheon customers and infrastructure.

Details released on October 11th demonstrate that the vulnerability is only possible in a very limited set of conditions where an application is using curl with a SOCKS5 proxy with remote host resolving enabled. This is not found within any WordPress core or Drupal core code. It could hypothetically be introduced by third party or custom code, though our assessment is that this is an unlikely scenario.

We are committed to keeping our customers informed and will provide updates from our investigation on our status page. As we learn more, we will promptly communicate any actions that need to be taken to address the vulnerability.
Posted Oct 11, 2023 - 11:59 PDT