{"api_version":"1","generated_at":"2026-04-22T21:39:05+00:00","cve":"CVE-2023-23914","urls":{"html":"https://cve.report/CVE-2023-23914","api":"https://cve.report/api/cve/CVE-2023-23914.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-23914","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-23914"},"summary":{"title":"CVE-2023-23914","description":"A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-02-23 20:15:00","updated_at":"2024-03-27 14:55:00"},"problem_types":["CWE-319"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/1813864","name":"https://hackerone.com/reports/1813864","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202310-12","name":"GLSA-202310-12","refsource":"GENTOO","tags":[],"title":"curl: Multiple Vulnerabilities (GLSA 202310-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230309-0006/","name":"https://security.netapp.com/advisory/ntap-20230309-0006/","refsource":"CONFIRM","tags":[],"title":"February 2023 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-23914","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23914","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"active_iq_unified_manager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"vmware_vsphere","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"9.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h300s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h300s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h410s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h410s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h500s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h500s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h700s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h700s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"23914","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"9.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-23914","qid":"183053","title":"Debian Security Update for curl (CVE-2023-23914)"},{"cve":"CVE-2023-23914","qid":"199191","title":"Ubuntu Security Notification for curl Vulnerabilities (USN-5891-1)"},{"cve":"CVE-2023-23914","qid":"241574","title":"Red Hat Update for JBoss Core Services (RHSA-2023:3354)"},{"cve":"CVE-2023-23914","qid":"283721","title":"Fedora Security Update for curl (FEDORA-2023-ddf6575695)"},{"cve":"CVE-2023-23914","qid":"354789","title":"Amazon Linux Security Advisory for curl : ALAS2-2023-1986"},{"cve":"CVE-2023-23914","qid":"355123","title":"Amazon Linux Security Advisory for curl : ALAS2023-2023-114"},{"cve":"CVE-2023-23914","qid":"378453","title":"NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Denial of Service (DoS) Vulnerability (NTAP-20230309-0006)"},{"cve":"CVE-2023-23914","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2023-23914","qid":"378677","title":"Oracle Hypertext Transfer Protocol Server (HTTP Server) Server Multiple Vulnerabilities (CPUJUL2023)"},{"cve":"CVE-2023-23914","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2023-23914","qid":"44183","title":"Juniper Network Operating System (Junos OS) Multiple Security Vulnerabilites (JSA79108)"},{"cve":"CVE-2023-23914","qid":"502664","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"502667","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"502668","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"502719","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"503103","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"505861","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2023-23914","qid":"673128","title":"EulerOS Security Update for curl (EulerOS-SA-2023-2286)"},{"cve":"CVE-2023-23914","qid":"673152","title":"EulerOS Security Update for curl (EulerOS-SA-2023-2262)"},{"cve":"CVE-2023-23914","qid":"691083","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for curl (be233fc6-bae7-11ed-a4fb-080027f5fec9)"},{"cve":"CVE-2023-23914","qid":"710772","title":"Gentoo Linux curl Multiple Vulnerabilities (GLSA 202310-12)"},{"cve":"CVE-2023-23914","qid":"753702","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2023:0429-1)"},{"cve":"CVE-2023-23914","qid":"905580","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (13633)"},{"cve":"CVE-2023-23914","qid":"905581","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13635)"},{"cve":"CVE-2023-23914","qid":"905582","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (13630)"},{"cve":"CVE-2023-23914","qid":"905584","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (13625)"},{"cve":"CVE-2023-23914","qid":"905592","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13659)"},{"cve":"CVE-2023-23914","qid":"905598","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for mysql (13656)"},{"cve":"CVE-2023-23914","qid":"905599","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (13654)"},{"cve":"CVE-2023-23914","qid":"905602","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (13650)"},{"cve":"CVE-2023-23914","qid":"906629","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (13654-3)"},{"cve":"CVE-2023-23914","qid":"906710","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (13630-1)"},{"cve":"CVE-2023-23914","qid":"906987","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (13650-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2023-23914","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/curl/curl","version":{"version_data":[{"version_value":"Fixed in 7.88.0"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cleartext Transmission of Sensitive Information (CWE-319)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1813864","url":"https://hackerone.com/reports/1813864"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230309-0006/","url":"https://security.netapp.com/advisory/ntap-20230309-0006/"},{"refsource":"GENTOO","name":"GLSA-202310-12","url":"https://security.gentoo.org/glsa/202310-12"}]},"description":{"description_data":[{"lang":"eng","value":"A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on."}]}},"nvd":{"publishedDate":"2023-02-23 20:15:00","lastModifiedDate":"2024-03-27 14:55:00","problem_types":["CWE-319"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"7.77.0","versionEndExcluding":"7.88.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:clustered_data_ontap:9.0:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}