CVE-2023-28322: An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback…

CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions

Siemens SINEC NMS ICS Advisory ## Siemens SINEC NMS Release DateFebruary 15, 2024 Alert CodeICSA-24-046-15 As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF ## 1. EXECUTIVE SUMMARY - CVSS v3 9.8 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Siemens - Equipment: SINEC NMS - Vulnerabilities: Out-of-bounds Read, Inadequate Encryption Strength, Double Free, Use After Free, NULL Pointer Dereference, Improper Input Validation, Missing Encryption of Sensitive Data, Allocation of Resources Wit

CVE-2023-28322 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. USN-6237-1 fixed several vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Original advisory details: Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorrectly handled saving cookies

CVE-2023-28322 [LOW] CVE-2023-28322: macOS Ventura 13.5 Apple Security Update: About the security content of macOS Ventura 13.5 Product: macOS Ventura Version: 13.5 CVE: CVE-2023-28322 Component: CVE-2023-28322

CVE-2023-28322 [LOW] CVE-2023-28322: macOS Monterey 12.6.8 Apple Security Update: About the security content of macOS Monterey 12.6.8 Product: macOS Monterey Version: 12.6.8 CVE: CVE-2023-28322 Component: CVE-2023-28322

CVE-2023-28322 [LOW] CVE-2023-28322: macOS Big Sur 11.7.9 Apple Security Update: About the security content of macOS Big Sur 11.7.9 Product: macOS Big Sur Version: 11.7.9 CVE: CVE-2023-28322 Component: CVE-2023-28322

[MEDIUM] curl regression Title: curl regression Summary: USN-6237-1 introduced a regression in curl. USN-6237-1 fixed vulnerabilities in curl. The update caused a certificate wildcard handling regression on Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorr

CVE-2023-28321 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorrectly handled saving cookies to files. A local attacker could possibly use this issue to create or overwrite files. This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001) Instructions: In general,

CVE-2023-28322 [LOW] CWE-440 curl: more POST-after-PUT confusion curl: more POST-after-PUT confusion An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. A use-after-free flaw was found in the Curl package. This issue may lead to unintended information disclosure by the application. Package: rh-dotnet31-curl

CVE-2023-28322 [LOW] CWE-200 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send even when t An information disclosure vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner hackerone: hackerone Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://lear

CVE-2023-28322 [LOW] CVE-2023-28322: curl - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S... An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. Scope: local bookworm: resolved (fixed in 7.88.1-10) bullseye: resolved (fixed in 7.74.0-1.3+deb11u9) forky: resolved (fixed in 7.88.1-10) sid: resolved (fixed in 7.88.1-10) trixie: resolved (fi

CVE-2023-28321 [MEDIUM] curl vulnerabilities curl vulnerabilities USN-6237-1 fixed several vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04 LTS. Original advisory details: Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorrectly handled saving cookies to files. A local attacker could possibly use this issue to

CVE-2023-28321 [MEDIUM] curl regression curl regression USN-6237-1 fixed vulnerabilities in curl. The update caused a certificate wildcard handling regression on Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorrectly handled saving cookies to files. A local attacker could

CVE-2023-28321 [MEDIUM] curl vulnerabilities curl vulnerabilities Hiroki Kurosawa discovered that curl incorrectly handled validating certain certificate wildcards. A remote attacker could possibly use this issue to spoof certain website certificates using IDN hosts. (CVE-2023-28321) Hiroki Kurosawa discovered that curl incorrectly handled callbacks when certain options are set by applications. This could cause applications using curl to misbehave, resulting in information disclosure, or a denial of service. (CVE-2023-28322) It was discovered that curl incorrectly handled saving cookies to files. A local attacker could possibly use this issue to create or overwrite files. This issue only affected Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-32001)

CVE-2023-28322 [LOW] CWE-200 GHSA-78jh-p6rf-g59w: An information disclosure vulnerability exists in curl <v8 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

CVE-2023-28322 [LOW] CVE-2023-28322: An information disclosure vulnerability exists in curl <v8 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

CVE-2023-28322 [LOW] CVE-2023-28322: more POST-after-PUT confusion CVE-2023-28322: more POST-after-PUT confusion Original Report:https://hackerone.com/reports/1954658 ## Impact CWE-440: Expected Behavior Violation An attacker could potentially inject data, either from stdin or from an unintended buffer. Further, without even an active attacker, this could lead to segfaults or sensitive information being exposed to an unintended recipient. CVE-2023-28322 - more POST-after-PUT confusion VULNERABILITY When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the

CVE-2023-28322 [CRITICAL] CVE-2023-28322: more POST-after-PUT confusion CVE-2023-28322: more POST-after-PUT confusion ## Summary: CVE-2022-32221 fixes is insufficient. In CVE-2022-32221, only CURLOPT_POST was corrected. However, CURLOPT_POST is not necessarily used when sending data with the POST method. CURLOPT_POST is not used in the CURLOPT_POSTFIELDS usage example on the official website. ``` CURL *curl = curl_easy_init(); if(curl) { const char *data = "data to send"; curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); /* size of the POST data */ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, 12L); /* pass in a pointer to the data - libcurl will not copy */ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); curl_easy_perform(curl); } ``` Also on this page is the following statement. >Using CURLOPT_POSTFIELDS implies setting CURLOPT_POST to 1.