CVE-2023-23914
CRITICALcurl < 7.88.0 - Cleartext Transmission of Sensitive Information via HSTS State Mismanagement
Title source: llmDescription
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
References (3)
Core 3
Core References
Exploit, Issue Tracking
https://hackerone.com/reports/1813864
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230309-0006/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202310-12
Scores
CVSS v3
9.1
EPSS
0.0011
EPSS Percentile
28.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-319
Status
published
Products (9)
haxx/curl
7.77.0 - 7.88.0
netapp/active_iq_unified_manager
netapp/clustered_data_ontap
9.0
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500s_firmware
netapp/h700s_firmware
splunk/universal_forwarder
9.1.0
splunk/universal_forwarder
8.2.0 - 8.2.12
Published
Feb 23, 2023
Tracked Since
Feb 18, 2026