AZL-26791

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26791.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-26791

Upstream

CVE-2023-28322

Published

2023-05-26T21:15:16Z

Modified

2026-04-01T05:08:29.193719Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

CVE-2023-28322 affecting package cmake for versions less than 3.21.4-6

Details

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-28322

Affected packages

Azure Linux:2 / cmake

Package

Name: cmake
Purl: pkg:rpm/azure-linux/cmake

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.21.4-6

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-26791.json"