CURL-CVE-2023-23915

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2023-23915.html

Import Source

https://curl.se/docs/CURL-CVE-2023-23915.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2023-23915

Aliases

CVE-2023-23915

Published

2023-02-15T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

HSTS amnesia with --parallel

Details

curl's HSTS cache saving behaves wrongly when multiple URLs are requested in parallel.

Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer.

A later HTTP-only transfer to the earlier hostname would then not get upgraded properly to HSTS.

Reproducible like this:

curl --hsts hsts.txt --parallel https://curl.se https://example.com
curl --hsts hsts.txt http://curl.se

References

Credits

- Harry Sintonen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.77.0

Fixed

7.88.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

7385610d0c74c6a254fea5e4cd6e1d559d848c8c

Fixed

076a2f629119222aeeb50f5a03bf9f9052fabb9a

Affected versions

7.*

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0