CVE-2023-23914

CWE-319 — Cleartext Transmission14 documents10 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 68.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Splunk Universal Forwarder Https: /github.com/curl/curl +1 more

Timeline

PublishedFeb 23

Latest updateOct 15

Description

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5https://github.com/curl/curlFixed in 7.88.0

▶NVDhaxx/curl7.77.0 — 7.88.0

▶Debiancurl< 7.88.1-1+2

▶Ubuntucurl< 7.58.0-2ubuntu3.23+2

▶NVDsplunk/universal_forwarder8.2.0 — 8.2.12+2

🔴Vulnerability Details

OSV

curl vulnerabilities↗2023-02-27

▶

OSV

CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

CVEList

CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

GHSA

GHSA-75qm-2q4j-qx6g: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

📋Vendor Advisories

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Networking (curl) — CVE-2023-23914↗2023-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (cURL) — CVE-2023-23914↗2023-07-15

▶

Oracle

Oracle Oracle HealthCare Applications Risk Matrix: DataStudio (cURL) — CVE-2023-23914↗2023-04-15

▶

Ubuntu

curl vulnerabilities↗2023-02-27

▶

Red Hat

curl: HSTS ignored on multiple requests↗2023-02-15

▶

💬Community

HackerOne

CVE-2023-23914: HSTS ignored on multiple requests↗2023-02-24

▶

HackerOne

CVE-2023-23914: curl HSTS ignored on multiple requests↗2023-02-15

▶