CURL-CVE-2023-46218

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2023-46218.html

Import Source

https://curl.se/docs/CURL-CVE-2023-46218.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2023-46218

Aliases

CVE-2023-46218

Published

2023-12-06T08:00:00Z

Modified

2024-09-11T06:13:47.932635Z

Summary

cookie mixed case PSL bypass

Details

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lowercase hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Database specific

{
    "affects": "both",
    "award": {
        "amount": "2540",
        "currency": "USD"
    },
    "CWE": {
        "id": "CWE-201",
        "desc": "Information Exposure Through Sent Data"
    },
    "www": "https://curl.se/docs/CVE-2023-46218.html",
    "URL": "https://curl.se/docs/CVE-2023-46218.json",
    "last_affected": "8.4.0",
    "package": "curl",
    "severity": "Medium",
    "issue": "https://hackerone.com/reports/2212193"
}

References

Credits

- Harry Sintonen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.46.0

Fixed

8.5.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e77b5b7453c1e8ccd7ec0816890d98e2f392e465

Fixed

2b0994c29a721c91c572cff7808c572a24d251eb

Affected versions

7.*

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.2.0

8.2.1

8.3.0

8.4.0

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "138260655856239098081716053511788377221",
            "length": 10170.0
        },
        "id": "CURL-CVE-2023-46218-04099297",
        "source": "https://github.com/curl/curl.git/commit/2b0994c29a721c91c572cff7808c572a24d251eb",
        "target": {
            "function": "Curl_cookie_add",
            "file": "lib/cookie.c"
        },
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "70157023922273088324427000884924629680",
                "92437533074026318023754548512791708265",
                "174781051971824864692061611806535615933",
                "317717153087227730924384644852634401824",
                "320223818076096336606365255275427779195",
                "147452772515304361370177013713828761412",
                "163503535934513669771314972304392725527",
                "231785432830425780566036868222861730032",
                "286735239701402540127725202216210978251",
                "193259407853272010415575233417515494247",
                "49884205652123128562972741131269080654"
            ]
        },
        "id": "CURL-CVE-2023-46218-640d5c49",
        "source": "https://github.com/curl/curl.git/commit/2b0994c29a721c91c572cff7808c572a24d251eb",
        "target": {
            "file": "lib/cookie.c"
        },
        "deprecated": false
    }
]