Vulnerability DatabaseCVE-2023-23914
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-23914
February 23, 2023
A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. After conducting further research, Mend has determined that versions 7.74.0 to 7.87.0 of curl are vulnerable to CVE-2023-23914.
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (6)
https://security-tracker.debian.org/tracker/CVE-2023-23914
https://hackerone.com/reports/1813864
https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a
https://security.netapp.com/advisory/ntap-20230309-0006/
https://seclists.org/oss-sec/2023/q1/98
https://security.gentoo.org/glsa/202310-12
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Cleartext Transmission of Sensitive Information
CWE-319
EPSS
Base Score:
0.13