CVE-2023-23914

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.

Published: Feb 23, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-23914
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-319

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
haxx / curl	7.77.0	7.88.0
netapp / clustered_data_ontap	9.0	9.0.x
splunk / universal_forwarder	9.1.0	9.1.0.x
splunk / universal_forwarder	9.0.0	9.0.6
splunk / universal_forwarder	8.2.0	8.2.12

https://hackerone.com/reports/1813864
https://security.gentoo.org/glsa/202310-12
https://security.netapp.com/advisory/ntap-20230309-0006/

Vulnerability Database

289,599

CVE-2023-23914