Main Vulnerability Database Vulnerabilities #VU81863

External control of file name or path in cURL - CVE-2023-38546

Published: October 11, 2023 / Updated: April 12, 2024

Vulnerability identifier: #VU81863

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-38546

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: curl.haxx.se

Affected software:
cURL

Detailed vulnerability description

The vulnerability allows an attacker to inject arbitrary cookies into request.

The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl.

How to mitigate CVE-2023-38546

Install updates from vendor's website.

Sources

https://curl.haxx.se/docs/CVE-2023-38546.html

External control of file name or path in cURL - CVE-2023-38546

Detailed vulnerability description

How to mitigate CVE-2023-38546

Sources

Please verify you're human