CVE-2023-23915

Publication date 15 February 2023

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
curl	23.04 lunar	Fixed 7.87.0-2ubuntu1
	22.10 kinetic	Fixed 7.85.0-1ubuntu0.3
	22.04 LTS jammy	Fixed 7.81.0-1ubuntu1.8
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Notes

mdeslaur

introduced in 7.77 same commits as CVE-2023-23914

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
curl	Upstream: 076a2f6 Upstream: 0bf8b79 Upstream: ca02a77 Upstream: dc07252 Upstream: ea5aaaa

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-5891-1
curl vulnerabilities
27 February 2023