Vulnerability CVE-2023-46219: Information

Description

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-46219
Published: Dec. 12, 2023
Modified: Jan. 19, 2024
Error type identifier: CWE-311

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus8.5.0-alt18.7.1-alt2ALT-PU-2023-7837-1335914Fixed
curlsisyphus_e2k8.5.0-alt18.7.1-alt2ALT-PU-2023-7859-1-Fixed
curlsisyphus_riscv648.5.0-alt18.7.1-alt2ALT-PU-2023-7947-1-Fixed
curlsisyphus_loongarch648.5.0-alt18.7.1-alt2ALT-PU-2023-7876-1-Fixed
curlp108.5.0-alt18.7.1-alt2ALT-PU-2023-7977-2336240Fixed
curlp10_e2k8.5.0-alt18.7.1-alt2ALT-PU-2023-8121-1-Fixed
curlc10f18.5.0-alt18.6.0-alt1ALT-PU-2023-8316-2337201Fixed
curlc9f28.5.0-alt18.6.0-alt1ALT-PU-2023-8180-3336757Fixed
curlp118.5.0-alt18.7.1-alt2ALT-PU-2023-7837-1335914Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://hackerone.com/reports/2236133
  • Exploit
  • Third Party Advisory
https://curl.se/docs/CVE-2023-46219.html
  • Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
  • Third Party Advisory
https://www.debian.org/security/2023/dsa-5587
    https://security.netapp.com/advisory/ntap-20240119-0007/

        1. Configuration 1

          cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
          Start including
          7.84.0
          End excliding
          8.5.0

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top