Published: 26/05/2023 Updated: 22/12/2023

CVSS v3 Base Score: 3.7 | Impact Score: 1.4 | Exploitability Score: 2.2

VMScore: 0

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx curl
fedoraproject fedora 37
fedoraproject fedora 38
apple macos
netapp clustered data ontap -
netapp ontap antivirus connector -
netapp h300s_firmware -
netapp h500s_firmware -
netapp h700s_firmware -
netapp h410s_firmware -

Debian Bug report logs - #1036239 curl: CVE-2023-28319 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 17 May 2023 20:57:02 UTC Severity: grave Tags: security, upstream F ...

Synopsis Moderate: curl security and bug fix update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for curl is now available for Red Hat Enterprise Linux 88 Extended Update SupportRed Hat Product Security has ...

Synopsis Moderate: curl security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for curl is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Product Security has rated this u ...

Synopsis Important: OpenShift Virtualization 4133 Images security and bug fix update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Virtualization release 4133 is now available with updates to packages and images that fix several bugs and add enhancementsRed Hat Product Security has rated this update as having a secur ...

Synopsis Important: Network Observability 140 for OpenShift Type/Severity Security Advisory: Important Topic Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agentThe operator provides dashboards, metrics, and keeps flow ...

Synopsis Moderate: OpenShift Container Platform 4138 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4138 is now available with updates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift Con ...

Synopsis Moderate: Red Hat JBoss Core Services Apache HTTP Server 2457 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat JBoss Core ServicesRed Hat Product Security h ...

Synopsis Moderate: Red Hat JBoss Core Services Apache HTTP Server 2457 security update Type/Severity Security Advisory: Moderate Topic Red Hat JBoss Core Services Apache HTTP Server 2457 is now availableRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) bas ...

Integer overflow vulnerability in tool_operatec in curl 7652 via crafted value as the retry delay (CVE-2020-19909) libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash This f ...

Description This CVE is under investigation by Red Hat Product Security ...

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available Recent releases are listed on the Apple security updates page Apple security documents reference vulnerabilities by CVE-ID&nbsp ...

Critical Infrastructure Sectors: Critical Manufacturing

Assessing security of v8.0.1 of the CLI tool curl

Security Evaluation of curl Written in collaberation with Michael Choi, Theodore Lau, Adam Murtagh, Sami Hamide, Alexander West for UCLA CS 136, Computer Security Summary In this report, we assess and rate the security of version 801 of the well-known command-line URL data transfer tool curl We approached this analysis from three angles — researching previous vulnerab

NVD-CWE-noinfo https://hackerone.com/reports/1954658 https://security.netapp.com/advisory/ntap-20230609-0009/https://support.apple.com/kb/HT213844 https://support.apple.com/kb/HT213843 https://support.apple.com/kb/HT213845 http://seclists.org/fulldisclosure/2023/Jul/47 http://seclists.org/fulldisclosure/2023/Jul/48 http://seclists.org/fulldisclosure/2023/Jul/52 https://security.gentoo.org/glsa/202310-12 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239 https://nvd.nist.gov https://github.com/awest25/Curl-Security-Evaluation https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-15 https://alas.aws.amazon.com/AL2/ALAS-2023-2230.html

Get Started

CVE-2023-28322

Vulnerability Summary

Vendor Advisories

ICS Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect