CVE-2023-28322
Summary
| CVE | CVE-2023-28322 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-26 21:15:00 UTC |
| Updated | 2023-12-22 16:15:00 UTC |
| Description | An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Macos | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 37 | All | All | All |
| Operating System | Fedoraproject | Fedora | 38 | All | All | All |
| Application | Haxx | Curl | All | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
| Hardware | Netapp | H300s | - | All | All | All |
| Operating System | Netapp | H300s Firmware | - | All | All | All |
| Hardware | Netapp | H410s | - | All | All | All |
| Operating System | Netapp | H410s Firmware | - | All | All | All |
| Hardware | Netapp | H500s | - | All | All | All |
| Operating System | Netapp | H500s Firmware | - | All | All | All |
| Hardware | Netapp | H700s | - | All | All | All |
| Operating System | Netapp | H700s Firmware | - | All | All | All |
| Application | Netapp | Ontap Antivirus Connector | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 37 Update: curl-7.85.0-9.fc37 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Full Disclosure: APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8 | FULLDISC | seclists.org | |
| About the security content of macOS Ventura 13.5 - Apple Support | CONFIRM | support.apple.com | |
| About the security content of macOS Monterey 12.6.8 - Apple Support | CONFIRM | support.apple.com | |
| curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] [DLA 3692-1] curl security update | lists.debian.org | ||
| About the security content of macOS Big Sur 11.7.9 - Apple Support | CONFIRM | support.apple.com | |
| Full Disclosure: APPLE-SA-2023-07-24-4 macOS Ventura 13.5 | FULLDISC | seclists.org | |
| Full Disclosure: APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9 | FULLDISC | seclists.org | |
| May 2023 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| [SECURITY] Fedora 38 Update: curl-8.0.1-2.fc38 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 37 Update: curl-7.85.0-9.fc37 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| HackerOne | MISC | hackerone.com | |
| [SECURITY] Fedora 38 Update: curl-8.0.1-2.fc38 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160825 Oracle Enterprise Linux Security Update for curl (ELSA-2023-4354)
- 161458 Oracle Enterprise Linux Security Update for curl (ELSA-2024-1601)
- 184725 Debian Security Update for curl (CVE-2023-28322)
- 199591 Ubuntu Security Notification for curl Vulnerabilities (USN-6237-1)
- 241893 Red Hat Update for curl (RHSA-2023:4354)
- 241954 Red Hat Update for JBoss Core Services (RHSA-2023:4629)
- 242150 Red Hat Update for curl (RHSA-2023:5598)
- 242817 Red Hat Update for curl (RHSA-2024:0585)
- 242849 Red Hat Update for curl (RHSA-2024:0428)
- 243155 Red Hat Update for curl (RHSA-2024:1601)
- 284014 Fedora Security Update for curl (FEDORA-2023-8ed627bb04)
- 284076 Fedora Security Update for curl (FEDORA-2023-37eac50e9b)
- 355747 Amazon Linux Security Advisory for curl : ALAS2023-2023-270
- 378687 Apple macOS Ventura 13.5 Not Installed (HT213843)
- 378688 Apple macOS Monterey 12.6.8 Not Installed (HT213844)
- 378689 Apple macOS Big Sur 11.7.9 Not Installed (HT213845)
- 503014 Alpine Linux Security Update for curl
- 6000399 Debian Security Update for curl (DLA 3692-1)
- 673227 EulerOS Security Update for curl (EulerOS-SA-2023-2350)
- 673249 EulerOS Security Update for curl (EulerOS-SA-2023-2376)
- 673298 EulerOS Security Update for curl (EulerOS-SA-2023-2578)
- 673312 EulerOS Security Update for curl (EulerOS-SA-2023-2608)
- 673616 EulerOS Security Update for curl (EulerOS-SA-2023-2635)
- 673678 EulerOS Security Update for curl (EulerOS-SA-2023-2677)
- 691172 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (a4f8bb03-f52f-11ed-9859-080027083a05)
- 710772 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)
- 754020 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2226-1)
- 754021 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2228-1)
- 754022 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2227-1)
- 754069 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:2225-1)
- 906994 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (26792-1)
- 906995 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (26791-1)
- 907008 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (26846-1)
- 941198 AlmaLinux Security Update for curl (ALSA-2023:4354)
- 941637 AlmaLinux Security Update for curl (ALSA-2024:1601)
- 961151 Rocky Linux Security Update for curl (RLSA-2024:1601)