CVE-2023-46219
Published: 6 December 2023
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
Notes
| Author | Note |
|---|---|
Priority reason: Upstream determined this is a low-priority issue |
|
| mdeslaur | introduced in 7.84.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
curl Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
(7.68.0-1ubuntu2.20)
|
|
| jammy |
Not vulnerable
(7.81.0-1ubuntu1.14)
|
|
| lunar |
Released
(7.88.1-8ubuntu2.4)
|
|
| mantic |
Released
(8.2.1-1ubuntu3.2)
|
|
| noble |
Released
(8.5.0-2ubuntu1)
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Released
(8.5.0)
|
|
| xenial |
Not vulnerable
|
|
|
Patches: upstream: https://github.com/curl/curl/commit/73b65e94f3531179de45 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |