CVE-2023-23915

CWE-319 — Cleartext Transmission11 documents9 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 86.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Splunk Universal Forwarder Https: /github.com/curl/curl +1 more

Timeline

PublishedFeb 23

Latest updateFeb 27

Description

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlyco…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages5 packages

▶CVEListV5https://github.com/curl/curlFixed in 7.88.0

▶NVDhaxx/curl7.77.0 — 7.88.0

▶Debiancurl< 7.88.1-1+2

▶NVDsplunk/universal_forwarder8.2.0 — 8.2.12+2

▶NVDnetapp/clustered_data_ontap9.0

🔴Vulnerability Details

OSV

curl vulnerabilities↗2023-02-27

▶

OSV

CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

CVEList

CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

GHSA

GHSA-2c3h-vr56-625m: A cleartext transmission of sensitive information vulnerability exists in curl <v7↗2023-02-23

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2023-02-27

▶

Red Hat

curl: HSTS amnesia with --parallel↗2023-02-15

▶

Microsoft

▶

Debian

CVE-2023-23915: curl - A cleartext transmission of sensitive information vulnerability exists in curl <...↗2023

▶

💬Community

HackerOne

CVE-2023-23915: HSTS amnesia with --parallel↗2023-02-24

▶

HackerOne

CVE-2023-23915: HSTS amnesia with --parallel↗2023-02-15

▶