An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2023/Jul/47 | Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jul/48 | Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jul/52 | Mailing List Third Party Advisory |
https://hackerone.com/reports/1954658 | Exploit Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/ | |
https://security.gentoo.org/glsa/202310-12 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230609-0009/ | Third Party Advisory |
https://support.apple.com/kb/HT213843 | Third Party Advisory |
https://support.apple.com/kb/HT213844 | Third Party Advisory |
https://support.apple.com/kb/HT213845 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
History
22 Dec 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Nov 2023, 04:10
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
20 Oct 2023, 21:05
Type | Values Removed | Values Added |
---|---|---|
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/52 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/48 - Mailing List, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/47 - Mailing List, Third Party Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202310-12 - Third Party Advisory |
11 Oct 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Aug 2023, 16:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:ontap_antivirus_connector:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* |
|
First Time |
Netapp h300s Firmware
Apple Netapp Netapp h700s Netapp h410s Firmware Netapp ontap Antivirus Connector Netapp clustered Data Ontap Netapp h300s Netapp h500s Netapp h700s Firmware Netapp h410s Netapp h500s Firmware Apple macos |
|
References | (CONFIRM) https://support.apple.com/kb/HT213844 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213845 - Third Party Advisory | |
References | (CONFIRM) https://support.apple.com/kb/HT213843 - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/48 - Mailing List | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/52 - Mailing List | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/47 - Mailing List |
25 Jul 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 Jul 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Jun 2023, 16:40
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.7 |
CPE | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/ - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230609-0009/ - Third Party Advisory | |
First Time |
Fedoraproject
Fedoraproject fedora |
09 Jun 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jun 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
07 Jun 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Jun 2023, 18:25
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
References | (MISC) https://hackerone.com/reports/1954658 - Exploit, Patch, Third Party Advisory | |
CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
First Time |
Haxx curl
Haxx |
|
CWE | NVD-CWE-noinfo |
26 May 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-26 21:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-28322
Mitre link : CVE-2023-28322
CVE.ORG link : CVE-2023-28322
JSON object : View
Products Affected
haxx
- curl
netapp
- ontap_antivirus_connector
- h500s_firmware
- h700s
- h300s_firmware
- h410s
- h700s_firmware
- h500s
- h300s
- h410s_firmware
- clustered_data_ontap
apple
- macos
fedoraproject
- fedora
CWE