Home > Vulnerability Database > CVE-2023-28322

Mend.io Vulnerability Database

CVE-2023-28322

Good to know:

Date: May 25, 2023

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Language: C

Severity Score

3.7

Related Resources (20)

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/

Url: https://support.apple.com/kb/HT213843

Url: https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28322

Url: http://seclists.org/fulldisclosure/2023/Jul/52

Url: https://github.com/curl/curl/commit/199f2d440d8659b42

Url: https://access.redhat.com/security/cve/CVE-2023-28322

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/

Url: https://support.apple.com/kb/HT213844

Url: https://curl.se/docs/CVE-2023-28322.html

Url: https://support.apple.com/kb/HT213845

Url: https://security.gentoo.org/glsa/202310-12

Url: https://security-tracker.debian.org/tracker/CVE-2023-28322

Url: https://security.netapp.com/advisory/ntap-20230609-0009/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/

Url: http://seclists.org/fulldisclosure/2023/Jul/48

Url: https://hackerone.com/reports/1954658

Url: http://seclists.org/fulldisclosure/2023/Jul/47

Url: https://www.mend.io/vulnerability-database/CVE-2023-28322

Severity Score

3.7

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version curl-8_1_0

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28322

Good to know:

Date: May 25, 2023

Language: C

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?