AZL-13660

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13660.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-13660

Upstream

CVE-2023-23915

Published

2023-02-23T20:15:13Z

Modified

2026-04-01T05:07:44.997037Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

CVE-2023-23915 affecting package rust for versions less than 1.72.0-2

Details

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-23915

Affected packages

Azure Linux:2 / rust

Package

Name: rust
Purl: pkg:rpm/azure-linux/rust

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.72.0-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13660.json"