CVE-2023-38546 - Vulnerability Details

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Haxx	Libcurl
Redhat	Enterprise Linux Jboss Core Services Logging Rhel Eus Rhel Satellite Client

Configuration 1 [-]

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
JBoss Core Services for RHEL 8
jbcs-httpd24-curl-0:8.4.0-2.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2023:7625	2023-12-07T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-curl-0:8.4.0-2.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2023:7625	2023-12-07T00:00:00Z
Red Hat Enterprise Linux 8
curl-0:7.61.1-33.el8_9.5	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:1601	2024-04-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
curl-0:7.61.1-22.el8_6.9	cpe:/o:redhat:rhel_eus:8.6	RHSA-2023:6292	2023-11-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
curl-0:7.61.1-30.el8_8.6	cpe:/o:redhat:rhel_eus:8.8	RHSA-2023:7540	2023-11-28T00:00:00Z
Red Hat Enterprise Linux 9
curl-0:7.76.1-23.el9_2.4	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:5763	2023-10-17T00:00:00Z
curl-0:7.76.1-26.el9_3.2	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:6745	2023-11-07T00:00:00Z
curl-0:7.76.1-23.el9_2.4	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:5763	2023-10-17T00:00:00Z
curl-0:7.76.1-26.el9_3.2	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:6745	2023-11-07T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
curl-0:7.76.1-14.el9_0.9	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:5700	2023-10-13T00:00:00Z
RHOL-5.6-RHEL-8
openshift-logging/cluster-logging-operator-bundle:v5.6.18-16	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/cluster-logging-rhel8-operator:v5.6.18-7	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/elasticsearch6-rhel8:v6.8.1-409	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.6.18-16	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-481	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.6.18-7	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/eventrouter-rhel8:v0.4.0-246	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/fluentd-rhel8:v1.14.6-216	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/kibana6-rhel8:v6.8.1-430	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/log-file-metric-exporter-rhel8:v1.1.0-226	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/logging-curator5-rhel8:v5.8.1-472	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/logging-loki-rhel8:v2.9.6-16	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/logging-view-plugin-rhel8:v5.6.18-3	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/loki-operator-bundle:v5.6.18-30	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/loki-rhel8-operator:v5.6.18-12	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/lokistack-gateway-rhel8:v0.1.0-528	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/opa-openshift-rhel8:v0.1.0-226	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
openshift-logging/vector-rhel8:v0.21.0-127	cpe:/a:redhat:logging:5.6::el8	RHSA-2024:2092	2024-05-01T00:00:00Z
RHOL-5.7-RHEL-8
openshift-logging/cluster-logging-operator-bundle:v5.7.13-16	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/cluster-logging-rhel8-operator:v5.7.13-7	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/elasticsearch6-rhel8:v6.8.1-408	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-operator-bundle:v5.7.13-19	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-480	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/elasticsearch-rhel8-operator:v5.7.13-9	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/eventrouter-rhel8:v0.4.0-248	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/fluentd-rhel8:v1.14.6-215	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/kibana6-rhel8:v6.8.1-431	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/log-file-metric-exporter-rhel8:v1.1.0-228	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/logging-curator5-rhel8:v5.8.1-471	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/logging-loki-rhel8:v2.9.6-15	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/logging-view-plugin-rhel8:v5.7.13-3	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/loki-operator-bundle:v5.7.13-27	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/loki-rhel8-operator:v5.7.13-12	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/lokistack-gateway-rhel8:v0.1.0-527	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/opa-openshift-rhel8:v0.1.0-225	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
openshift-logging/vector-rhel8:v0.28.1-57	cpe:/a:redhat:logging:5.7::el8	RHSA-2024:2093	2024-05-01T00:00:00Z
Satellite Client 6 for RHEL 6
puppet-agent-0:7.28.0-1.el6sat	cpe:/a:redhat:rhel_satellite_client:6::el6	RHSA-2024:2101	2024-04-29T00:00:00Z
Satellite Client 6 for RHEL 7
puppet-agent-0:7.28.0-1.el7sat	cpe:/a:redhat:rhel_satellite_client:6::el7	RHSA-2024:2101	2024-04-29T00:00:00Z
Satellite Client 6 for RHEL 8
puppet-agent-0:7.28.0-1.el8sat	cpe:/a:redhat:rhel_satellite_client:6::el8	RHSA-2024:2101	2024-04-29T00:00:00Z
Satellite Client 6 for RHEL 9
puppet-agent-0:7.28.0-1.el9sat	cpe:/a:redhat:rhel_satellite_client:6::el9	RHSA-2024:2101	2024-04-29T00:00:00Z
Text-Only JBCS
curl	cpe:/a:redhat:jboss_core_services:1	RHSA-2023:7626	2023-12-07T00:00:00Z

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Jan/34
http://seclists.org/fulldisclosure/2024/Jan/37
http://seclists.org/fulldisclosure/2024/Jan/38
https://curl.se/docs/CVE-2023-38546.html
https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/
https://nvd.nist.gov/vuln/detail/CVE-2023-38546
https://support.apple.com/kb/HT214036
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214063
https://www.cve.org/CVERecord?id=CVE-2023-38546

History

Thu, 13 Feb 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description	This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.	This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2023-10-18T03:51:31.276Z

Updated: 2025-02-13T17:01:53.507Z

Reserved: 2023-07-20T01:00:12.444Z

Link: CVE-2023-38546

Vulnrichment

Updated: 2024-08-02T17:46:55.785Z

NVD

Status : Modified

Published: 2023-10-18T04:15:11.137

Modified: 2025-02-13T17:16:48.027

Link: CVE-2023-38546

Redhat

Severity : Low

Publid Date: 2023-10-11T00:00:00Z

Links: CVE-2023-38546 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-38546", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2023-07-20T01:00:12.444Z", "datePublished": "2023-10-18T03:51:31.276Z", "dateUpdated": "2025-02-13T17:01:53.507Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course."}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.4.0", "status": "affected", "lessThan": "8.4.0", "versionType": "semver"}, {"version": "7.9.1", "status": "unaffected", "lessThan": "7.9.1", "versionType": "semver"}]}], "references": [{"url": "https://curl.se/docs/CVE-2023-38546.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/"}, {"url": "https://support.apple.com/kb/HT214036"}, {"url": "https://support.apple.com/kb/HT214063"}, {"url": "https://support.apple.com/kb/HT214057"}, {"url": "https://support.apple.com/kb/HT214058"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/34"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/37"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/38"}, {"url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-07-09T13:27:34.245Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.785Z"}, "title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2023-38546.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214036", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214063", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214057", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214058", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/34", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/37", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/38", "tags": ["x_transferred"]}, {"url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-13T15:01:53.358515Z", "id": "CVE-2023-38546", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T15:02:37.137Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2023-38546.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214036", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214063", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214057", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214058", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/34", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/37", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/38", "tags": ["x_transferred"]}, {"url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.785Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38546", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-13T15:01:53.358515Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T15:02:32.453Z"}}], "cna": {"affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.4.0", "lessThan": "8.4.0", "versionType": "semver"}, {"status": "unaffected", "version": "7.9.1", "lessThan": "7.9.1", "versionType": "semver"}]}], "references": [{"url": "https://curl.se/docs/CVE-2023-38546.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/"}, {"url": "https://support.apple.com/kb/HT214036"}, {"url": "https://support.apple.com/kb/HT214063"}, {"url": "https://support.apple.com/kb/HT214057"}, {"url": "https://support.apple.com/kb/HT214058"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/34"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/37"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/38"}, {"url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868"}], "descriptions": [{"lang": "en", "value": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2024-07-09T13:27:34.245Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38546", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:01:53.507Z", "dateReserved": "2023-07-20T01:00:12.444Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2023-10-18T03:51:31.276Z", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "9058709C-7DD0-44D7-8224-535363E103A9", "versionEndExcluding": "8.4.0", "versionStartIncluding": "7.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course."}, {"lang": "es", "value": "Esta falla permite a un atacante insertar cookies a voluntad en un programa en ejecuci\u00f3n usando libcurl, si se cumple una serie espec\u00edfica de condiciones. libcurl realiza transferencias. En su API, una aplicaci\u00f3n crea \"easy handles\" que son identificadores individuales para transferencias individuales. libcurl proporciona una llamada de funci\u00f3n que duplica un identificador sencillo llamado [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). Si una transferencia tiene cookies habilitadas cuando el identificador est\u00e1 duplicado, el estado de habilitaci\u00f3n de cookies tambi\u00e9n se clona, pero sin clonar las cookies reales. Si el identificador de origen no ley\u00f3 ninguna cookie de un archivo espec\u00edfico en el disco, la versi\u00f3n clonada del identificador almacenar\u00eda el nombre del archivo como \"none\" (usando las cuatro letras ASCII, sin comillas). El uso posterior del identificador clonado que no establece expl\u00edcitamente una fuente desde la cual cargar cookies cargar\u00eda inadvertidamente cookies desde un archivo llamado \"none\", si dicho archivo existe y es legible en el directorio actual del programa usando libcurl. Y si utiliza el formato de archivo correcto, por supuesto."}], "id": "CVE-2023-38546", "lastModified": "2025-02-13T17:16:48.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-18T04:15:11.137", "references": [{"source": "support@hackerone.com", "url": "http://seclists.org/fulldisclosure/2024/Jan/34"}, {"source": "support@hackerone.com", "url": "http://seclists.org/fulldisclosure/2024/Jan/37"}, {"source": "support@hackerone.com", "url": "http://seclists.org/fulldisclosure/2024/Jan/38"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://curl.se/docs/CVE-2023-38546.html"}, {"source": "support@hackerone.com", "url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/"}, {"source": "support@hackerone.com", "url": "https://support.apple.com/kb/HT214036"}, {"source": "support@hackerone.com", "url": "https://support.apple.com/kb/HT214057"}, {"source": "support@hackerone.com", "url": "https://support.apple.com/kb/HT214058"}, {"source": "support@hackerone.com", "url": "https://support.apple.com/kb/HT214063"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jan/34"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jan/37"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jan/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://curl.se/docs/CVE-2023-38546.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214036"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214057"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214058"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214063"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Patched-by: Daniel Stenberg and Reported-by: w0x42 on hackerone for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:8.4.0-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.4.0-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2024:1601", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "curl-0:7.61.1-33.el8_9.5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2023:6292", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "curl-0:7.61.1-22.el8_6.9", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-02T00:00:00Z"}, {"advisory": "RHSA-2023:7540", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "curl-0:7.61.1-30.el8_8.6", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2023-11-28T00:00:00Z"}, {"advisory": "RHSA-2023:5763", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-23.el9_2.4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:6745", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-26.el9_3.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:5763", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-23.el9_2.4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-17T00:00:00Z"}, {"advisory": "RHSA-2023:6745", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "curl-0:7.76.1-26.el9_3.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:5700", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "curl-0:7.76.1-14.el9_0.9", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-13T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/cluster-logging-operator-bundle:v5.6.18-16", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/cluster-logging-rhel8-operator:v5.6.18-7", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-409", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/elasticsearch-operator-bundle:v5.6.18-16", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-481", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/elasticsearch-rhel8-operator:v5.6.18-7", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/eventrouter-rhel8:v0.4.0-246", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/fluentd-rhel8:v1.14.6-216", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/kibana6-rhel8:v6.8.1-430", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/log-file-metric-exporter-rhel8:v1.1.0-226", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/logging-curator5-rhel8:v5.8.1-472", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/logging-loki-rhel8:v2.9.6-16", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/logging-view-plugin-rhel8:v5.6.18-3", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/loki-operator-bundle:v5.6.18-30", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/loki-rhel8-operator:v5.6.18-12", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/lokistack-gateway-rhel8:v0.1.0-528", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/opa-openshift-rhel8:v0.1.0-226", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2092", "cpe": "cpe:/a:redhat:logging:5.6::el8", "package": "openshift-logging/vector-rhel8:v0.21.0-127", "product_name": "RHOL-5.6-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/cluster-logging-operator-bundle:v5.7.13-16", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/cluster-logging-rhel8-operator:v5.7.13-7", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/elasticsearch6-rhel8:v6.8.1-408", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/elasticsearch-operator-bundle:v5.7.13-19", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/elasticsearch-proxy-rhel8:v1.0.0-480", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/elasticsearch-rhel8-operator:v5.7.13-9", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/eventrouter-rhel8:v0.4.0-248", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/fluentd-rhel8:v1.14.6-215", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/kibana6-rhel8:v6.8.1-431", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/log-file-metric-exporter-rhel8:v1.1.0-228", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/logging-curator5-rhel8:v5.8.1-471", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/logging-loki-rhel8:v2.9.6-15", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/logging-view-plugin-rhel8:v5.7.13-3", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/loki-operator-bundle:v5.7.13-27", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/loki-rhel8-operator:v5.7.13-12", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/lokistack-gateway-rhel8:v0.1.0-527", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/opa-openshift-rhel8:v0.1.0-225", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2093", "cpe": "cpe:/a:redhat:logging:5.7::el8", "package": "openshift-logging/vector-rhel8:v0.28.1-57", "product_name": "RHOL-5.7-RHEL-8", "release_date": "2024-05-01T00:00:00Z"}, {"advisory": "RHSA-2024:2101", "cpe": "cpe:/a:redhat:rhel_satellite_client:6::el6", "package": "puppet-agent-0:7.28.0-1.el6sat", "product_name": "Satellite Client 6 for RHEL 6", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2101", "cpe": "cpe:/a:redhat:rhel_satellite_client:6::el7", "package": "puppet-agent-0:7.28.0-1.el7sat", "product_name": "Satellite Client 6 for RHEL 7", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2101", "cpe": "cpe:/a:redhat:rhel_satellite_client:6::el8", "package": "puppet-agent-0:7.28.0-1.el8sat", "product_name": "Satellite Client 6 for RHEL 8", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2024:2101", "cpe": "cpe:/a:redhat:rhel_satellite_client:6::el9", "package": "puppet-agent-0:7.28.0-1.el9sat", "product_name": "Satellite Client 6 for RHEL 9", "release_date": "2024-04-29T00:00:00Z"}, {"advisory": "RHSA-2023:7626", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "Text-Only JBCS", "release_date": "2023-12-07T00:00:00Z"}], "bugzilla": {"description": "curl: cookie injection with none file", "id": "2241938", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241938"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-73", "details": ["This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.", "A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met."], "name": "CVE-2023-38546", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:6.0", "fix_state": "Out of support scope", "impact": "low", "package_name": "rh-dotnet60", "product_name": ".NET 6.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "puppet-agent", "product_name": "Red Hat Satellite 6"}], "public_date": "2023-10-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38546\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38546\nhttps://curl.se/docs/CVE-2023-38546.html"], "statement": "The flaw requires a series of conditions to be met and the likeliness that they shall allow an attacker to take advantage of it is low. Even if the bug could be made to trigger, the risk that a cookie injection can be done to cause harm is additionally also low.\nThe updated puppet-client has been released and consumed in downstream packages. This includes RH Satellite.", "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object