CVE-2023-46219
MEDIUMcurl 7.84.0-8.4.0 - Missing Encryption of Sensitive Data via HSTS File Handling
Title source: llmDescription
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
Exploit, Third Party Advisory
https://hackerone.com/reports/2236133
Vendor Advisory
https://curl.se/docs/CVE-2023-46219.html
Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
Third Party Advisory
https://www.debian.org/security/2023/dsa-5587
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240119-0007/
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-093430.html
Vendor Advisory
https://cert-portal.siemens.com/productcert/html/ssa-331112.html
Scores
CVSS v3
5.3
EPSS
0.0113
EPSS Percentile
62.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-311
Status
published
Products (4)
curl/curl
7.84.0
curl/curl
8.4.0
fedoraproject/fedora
38
haxx/curl
7.84.0 - 8.5.0
Published
Dec 12, 2023
Tracked Since
Feb 18, 2026