First published: Wed Nov 29 2023(Updated: )
cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a mixed case flaw when curl is built without PSL support. By sending a specially crafted request, an attacker could exploit this vulnerability to allow a HTTP server to set "super cookies" in curl.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Haxx Curl | >=7.46.0<=8.4.0 | |
Fedoraproject Fedora | =39 | |
redhat/curl | <8.5.0 | 8.5.0 |
ubuntu/curl | <7.58.0-2ubuntu3.24+ | 7.58.0-2ubuntu3.24+ |
ubuntu/curl | <7.68.0-1ubuntu2.21 | 7.68.0-1ubuntu2.21 |
ubuntu/curl | <7.81.0-1ubuntu1.15 | 7.81.0-1ubuntu1.15 |
ubuntu/curl | <7.88.1-8ubuntu2.4 | 7.88.1-8ubuntu2.4 |
ubuntu/curl | <8.2.1-1ubuntu3.2 | 8.2.1-1ubuntu3.2 |
ubuntu/curl | <8.5.0 | 8.5.0 |
ubuntu/curl | <7.47.0-1ubuntu2.19+ | 7.47.0-1ubuntu2.19+ |
debian/curl | <=7.64.0-4+deb10u2 | 7.64.0-4+deb10u9 7.74.0-1.3+deb11u11 7.88.1-10+deb12u5 8.7.1-5 |
F5 BIG-IP Next | >=20.0.1<=20.0.2 | 20.1.0 |
F5 BIG-IP Next Central Manager | >=20.0.1<=20.0.2 | 20.1.0 |
F5 BIG-IP Next SPK | >=1.7.0<=1.9.1 | |
F5 BIG-IP Next CNF | >=1.1.0<=1.2.1 | |
F5 BIG-IP | >=17.1.0<=17.1.1 | |
F5 BIG-IP | >=16.1.0<=16.1.4 | |
F5 BIG-IP | >=15.1.0<=15.1.10 | |
F5 BIG-IQ Centralized Management | >=8.0.0<=8.3.0 | |
IBM QRadar SIEM | <=7.5 - 7.5.0 UP8 IF01 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-46218 is a vulnerability related to cookie handling in the curl library, which allows for a mixed case Public Suffix List (PSL) bypass.
The severity of CVE-2023-46218 is not specified in the provided information.
The affected software is 'curl' with versions up to exclusive 8.5.0 on Ubuntu, and versions up to inclusive 7.64.0-4+deb10u2, 7.64.0-4+deb10u7, 7.74.0-1.3+deb11u9, 7.74.0-1.3+deb11u10, 7.88.1-10+deb12u3, 7.88.1-10+deb12u4, and 8.4.0-2 on Debian.
To fix the CVE-2023-46218 vulnerability on Ubuntu, update the 'curl' package to version 8.5.0 or later.
There is no specific remedy mentioned for the CVE-2023-46218 vulnerability on Debian. Consider monitoring the official Debian security advisories for updates or contact the package maintainers for more information.