Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28322

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Published

2023-05-26T21:15:16.153

Last Modified

2024-11-21T07:54:50.347

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 8.1.0	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	fedoraproject	fedora	38	Yes
Operating System	apple	macos	< 11.7.9	Yes
Operating System	apple	macos	< 12.6.8	Yes
Operating System	apple	macos	< 13.5	Yes
Application	netapp	clustered_data_ontap	-	Yes
Application	netapp	ontap_antivirus_connector	-	Yes
Operating System	netapp	h300s_firmware	-	Yes
Hardware	netapp	h300s	-	No
Operating System	netapp	h500s_firmware	-	Yes
Hardware	netapp	h500s	-	No
Operating System	netapp	h700s_firmware	-	Yes
Hardware	netapp	h700s	-	No
Operating System	netapp	h410s_firmware	-	Yes
Hardware	netapp	h410s	-	No

References

http://seclists.org/fulldisclosure/2023/Jul/47 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2023/Jul/48 Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2023/Jul/52 Mailing List, Third Party Advisory ([email protected])
https://hackerone.com/reports/1954658 Exploit, Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/ ([email protected])
https://security.gentoo.org/glsa/202310-12 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230609-0009/ Third Party Advisory ([email protected])
https://support.apple.com/kb/HT213843 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT213844 Third Party Advisory ([email protected])
https://support.apple.com/kb/HT213845 Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2023/Jul/47 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2023/Jul/48 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2023/Jul/52 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1954658 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202310-12 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230609-0009/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT213843 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT213844 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.apple.com/kb/HT213845 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)