libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
2022-06-02T14:15:44.093
2024-11-21T06:56:10.303
Modified
CVSSv3.1: 5.3 (MEDIUM)
AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | haxx | curl | < 7.83.1 | Yes |
| Operating System | netapp | hci_bootstrap_os | - | Yes |
| Hardware | netapp | hci_compute_node | - | No |
| Application | netapp | clustered_data_ontap | - | Yes |
| Application | netapp | solidfire\,_enterprise_sds_\&_hci_storage_node | - | Yes |
| Application | netapp | solidfire_\&_hci_management_node | - | Yes |
| Hardware | netapp | hci_compute_node | - | Yes |
| Operating System | netapp | h410s_firmware | - | Yes |
| Hardware | netapp | h410s | - | No |
| Operating System | netapp | h700s_firmware | - | Yes |
| Hardware | netapp | h700s | - | No |
| Operating System | netapp | h500s_firmware | - | Yes |
| Hardware | netapp | h500s | - | No |
| Operating System | netapp | h300s_firmware | - | Yes |
| Hardware | netapp | h300s | - | No |
| Application | splunk | universal_forwarder | < 8.2.12 | Yes |
| Application | splunk | universal_forwarder | < 9.0.6 | Yes |
| Application | splunk | universal_forwarder | 9.1.0 | Yes |