CURL-CVE-2023-23915
- Source
- https://curl.se/docs/CVE-2023-23915.html
- Import Source
- https://curl.se/docs/CURL-CVE-2023-23915.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2023-23915
- Aliases
- Published
- 2023-02-15T08:00:00Z
- Modified
- 2026-05-21T06:00:22.485438021Z
- Summary
- HSTS amnesia with --parallel
- Details
-
curl's HSTS cache saving behaves wrongly when multiple URLs are requested in parallel.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer.
A later HTTP-only transfer to the earlier hostname would then not get upgraded properly to HSTS.
Reproducible like this:
curl --hsts hsts.txt --parallel https://curl.se https://example.comcurl --hsts hsts.txt http://curl.se
- Database specific
{ "package": "curl", "severity": "Low", "URL": "https://curl.se/docs/CVE-2023-23915.json", "last_affected": "7.87.0", "issue": "https://hackerone.com/reports/1814333", "CWE": { "id": "CWE-319", "desc": "Cleartext Transmission of Sensitive Information" }, "affects": "both", "www": "https://curl.se/docs/CVE-2023-23915.html", "award": { "amount": "480", "currency": "USD" } }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.77.0Fixed7.88.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
Other
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_77_0
curl-7_78_0
curl-7_79_0
curl-7_79_1
curl-7_80_0
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
curl-7_84_0
curl-7_85_0
curl-7_86_0
curl-7_87_0