Published: 23/02/2023 Updated: 27/03/2024

CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9

VMScore: 0

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx curl
netapp active iq unified manager -
netapp clustered data ontap 9.0
netapp h300s_firmware -
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -
splunk universal forwarder 9.1.0
splunk universal forwarder

Debian Bug report logs - #1031371 curl: CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Wed, 15 Feb 2023 22:27:01 UTC Severity: grave Tags: security, upstream Found in version curl ...

Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2451 SP2 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Apache HTTP Server 2451 Service Pack 2 is now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sco ...

Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2451 SP2 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2 ...

A flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried This issue may result in limited confidentiality and integrity (CVE-2023-23914) A flaw was found in the Curl package, where the HSTS mechanism could fail when mu ...

DescriptionA flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer This issue may result in limited confidentiality and integrityA flaw was found in the Curl package, where the HSTS mechanism could ...

Critical Infrastructure Sectors: Critical Manufacturing

CWE-319 https://hackerone.com/reports/1826048 https://security.netapp.com/advisory/ntap-20230309-0006/https://security.gentoo.org/glsa/202310-12 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371 https://nvd.nist.gov https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10 https://alas.aws.amazon.com/AL2/ALAS-2023-1986.html

CVE-2023-23915

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect