Home > Vulnerability Database > CVE-2023-23915

Mend.io Vulnerability Database

CVE-2023-23915

Good to know:

Date: February 22, 2023

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

Language: C

Severity Score

6.5

Related Resources (9)

Url: https://hackerone.com/reports/1826048

Url: https://seclists.org/oss-sec/2023/q1/99

Url: https://security.netapp.com/advisory/ntap-20230309-0006/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23915

Url: https://hackerone.com/reports/1874716

Url: https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a

Url: https://security-tracker.debian.org/tracker/CVE-2023-23915

Url: https://security.gentoo.org/glsa/202310-12

Url: https://www.mend.io/vulnerability-database/CVE-2023-23915

Severity Score

6.5

Weakness Type (CWE)

Cleartext Transmission of Sensitive Information

CWE-319

Top Fix

Upgrade Version

Upgrade to version curl-7_88_0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23915

Good to know:

Date: February 22, 2023

Language: C

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?