CVE-2023-38546

Summary

CVE	CVE-2023-38546
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-10-18 04:15:00 UTC
Updated	2024-01-26 17:15:00 UTC
Description	This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Haxx	Libcurl	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 37 Update: curl-7.85.0-12.fc37 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
About the security content of macOS Ventura 13.6.4 - Apple Support		support.apple.com
About the security content of macOS Sonoma 14.2 - Apple Support		support.apple.com
curl - cookie injection with none file - CVE-2023-38546	MISC	curl.se
seclists.org/fulldisclosure/2024/Jan/37		seclists.org
seclists.org/fulldisclosure/2024/Jan/38		seclists.org
seclists.org/fulldisclosure/2024/Jan/34		seclists.org
About the security content of macOS Monterey 12.7.3 - Apple Support		support.apple.com
About the security content of iOS 16.7.5 and iPadOS 16.7.5 - Apple Support		support.apple.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160994 Oracle Enterprise Linux Security Update for curl (ELSA-2023-5763)
161081 Oracle Enterprise Linux Security Update for curl (ELSA-2023-6745)
161458 Oracle Enterprise Linux Security Update for curl (ELSA-2024-1601)
199825 Ubuntu Security Notification for curl Vulnerabilities (USN-6429-1)
199826 Ubuntu Security Notification for curl Vulnerability (USN-6429-2)
199899 Ubuntu Security Notification for curl Vulnerabilities (USN-6429-3)
20399 Oracle Database 19c Critical OJVM Patch Update - January 2024
20400 Oracle Database 19c Critical Patch Update - January 2024
20401 Oracle Database 21c Critical Patch Update - January 2024
242165 Red Hat Update for curl (RHSA-2023:5700)
242183 Red Hat Update for curl (RHSA-2023:5763)
242278 Red Hat Update for curl (RHSA-2023:6292)
242283 Red Hat Update for curl (RHSA-2023:6745)
242519 Red Hat Update for curl (RHSA-2023:7540)
242553 Red Hat Update for JBoss Core Services (RHSA-2023:7625)
243155 Red Hat Update for curl (RHSA-2024:1601)
284621 Fedora Security Update for curl (FEDORA-2023-b855de5c0f)
284684 Fedora Security Update for curl (FEDORA-2023-fef2b8da32)
285202 Fedora Security Update for curl (FEDORA-2023-0f8d1871d8)
296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
330154 IBM AIX Multiple Vulnerabilities due to curl (curl_advisory3)
356311 Amazon Linux Security Advisory for curl : ALAS2023-2023-377
356312 Amazon Linux Security Advisory for curl : ALAS2-2023-2287
356597 Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2ECS-2023-016
356624 Amazon Linux Security Advisory for ecs-service-connect-agent : ALAS2023-2023-420
378936 Microsoft Windows Curl Multiple Security Vulnerabilities
379000 Curl Cookie Injection Vulnerability
379001 Libcurl Cookie Injection Vulnerability
379253 Alibaba Cloud Linux Security Update for curl (ALINUX3-SA-2024:0009)
379298 Apple macOS Ventura 13.6.4 Not Installed (HT214058)
379300 Apple macOS Monterey 12.7.3 Not Installed (HT214057)
44136 FortiOS Multiple Vulnerabilities (FG-IR-23-385)
44183 Juniper Network Operating System (Junos OS) Multiple Security Vulnerabilites (JSA79108)
503379 Alpine Linux Security Update for curl
505864 Alpine Linux Security Update for curl
6000245 Debian Security Update for curl (DSA 5523-1)
6000273 Debian Security Update for curl (DLA 3613-1)
610539 Apple iOS 16.7.5 and iPadOS 16.7.5 Security Update Missing (HT214063)
673377 EulerOS Security Update for curl (EulerOS-SA-2024-1136)
673709 EulerOS Security Update for curl (EulerOS-SA-2023-3239)
673772 EulerOS Security Update for curl (EulerOS-SA-2024-1055)
673803 EulerOS Security Update for curl (EulerOS-SA-2024-1260)
673815 EulerOS Security Update for curl (EulerOS-SA-2023-3294)
673909 EulerOS Security Update for curl (EulerOS-SA-2024-1079)
673989 EulerOS Security Update for curl (EulerOS-SA-2023-3267)
674037 EulerOS Security Update for curl (EulerOS-SA-2023-3326)
710772 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)
755070 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:4044-1)
755071 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:4043-1)
907378 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (31289-1)
907468 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (31502)
907486 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (31502-1)
941303 AlmaLinux Security Update for curl (ALSA-2023:5763)
941348 AlmaLinux Security Update for curl (ALSA-2023:6745)
941637 AlmaLinux Security Update for curl (ALSA-2024:1601)
961057 Rocky Linux Security Update for curl (RLSA-2023:5763)
961151 Rocky Linux Security Update for curl (RLSA-2024:1601)