UBUNTU-CVE-2023-23915

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2023-23915

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-23915.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-23915

Related

Published

2023-02-15T00:00:00Z

Modified

2023-02-15T00:00:00Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

References

Affected packages

Ubuntu:22.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.81.0-1ubuntu1.8?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.81.0-1ubuntu1.8

Affected versions

7.*

7.74.0-1.3ubuntu2

7.74.0-1.3ubuntu3

7.80.0-3

7.81.0-1

7.81.0-1ubuntu1.1

7.81.0-1ubuntu1.2

7.81.0-1ubuntu1.3

7.81.0-1ubuntu1.4

7.81.0-1ubuntu1.6

7.81.0-1ubuntu1.7

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "curl-dbgsym": "7.81.0-1ubuntu1.8",
            "curl": "7.81.0-1ubuntu1.8",
            "libcurl4": "7.81.0-1ubuntu1.8",
            "libcurl4-gnutls-dev": "7.81.0-1ubuntu1.8",
            "libcurl4-dbgsym": "7.81.0-1ubuntu1.8",
            "libcurl3-nss": "7.81.0-1ubuntu1.8",
            "libcurl4-doc": "7.81.0-1ubuntu1.8",
            "libcurl3-nss-dbgsym": "7.81.0-1ubuntu1.8",
            "libcurl3-gnutls": "7.81.0-1ubuntu1.8",
            "libcurl3-gnutls-dbgsym": "7.81.0-1ubuntu1.8",
            "libcurl4-openssl-dev": "7.81.0-1ubuntu1.8",
            "libcurl4-nss-dev": "7.81.0-1ubuntu1.8"
        }
    ]
}