CVE-2023-46219
First published: Wed Nov 29 2023(Updated: )
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haxx Curl | >=7.84.0<8.5.0 | |
| Fedoraproject Fedora | =38 | |
| redhat/curl | <8.5.0 | 8.5.0 |
| ubuntu/curl | <7.88.1-8ubuntu2.4 | 7.88.1-8ubuntu2.4 |
| ubuntu/curl | <8.2.1-1ubuntu3.2 | 8.2.1-1ubuntu3.2 |
| ubuntu/curl | <8.5.0-2ubuntu1 | 8.5.0-2ubuntu1 |
| ubuntu/curl | <8.5.0 | 8.5.0 |
| debian/curl | <=7.74.0-1.3+deb11u11 | 7.64.0-4+deb10u2 7.64.0-4+deb10u9 7.88.1-10+deb12u5 8.7.1-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://hackerone.com/reports/2236133
- https://curl.se/docs/CVE-2023-46219.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
- https://www.debian.org/security/2023/dsa-5587
- https://security.netapp.com/advisory/ntap-20240119-0007/
- https://launchpad.net/bugs/cve/CVE-2023-46219
- https://seclists.org/oss-sec/2023/q4/262
- https://daniel.haxx.se/blog/2023/12/06/curl-8-5-0/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2253143
- https://access.redhat.com/errata/RHSA-2024:1317
- https://access.redhat.com/errata/RHSA-2024:1316
- https://bugzilla.redhat.com/show_bug.cgi?id=2252034
- https://github.com/curl/curl/commit/20f9dd6bae50b7223171b17ba7798946e74f877f
- https://github.com/curl/curl/commit/73b65e94f3531179de45c6f3c836a610e3d0a846
- https://security-tracker.debian.org/tracker/CVE-2023-46219
- https://ubuntu.com/security/notices/USN-6535-1
- https://www.cve.org/CVERecord?id=CVE-2023-46219
- https://nvd.nist.gov/vuln/detail/CVE-2023-46219
- https://github.com/curl/curl/commit/73b65e94f3531179de45
- https://ubuntu.com/security/CVE-2023-46219
Frequently Asked Questions
What is CVE-2023-46219?
CVE-2023-46219 is a vulnerability in the curl package that allows an attacker to clear the contents of a file with a long name when using HTTP Strict Transport Security (HSTS).
Which software versions are affected?
The affected software versions include curl 8.5.0 and earlier, curl 7.88.1-8ubuntu2.4 and earlier, curl 8.2.1-1ubuntu3.2 and earlier, and curl 7.64.0-4+deb10u2 to curl 8.4.0-2.
How can I fix the CVE-2023-46219 vulnerability?
To fix the CVE-2023-46219 vulnerability, update the curl package to a version that includes the necessary security patches.
Where can I find more information about CVE-2023-46219?
You can find more information about CVE-2023-46219 on the MITRE CVE website (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46219) and the curl documentation (https://curl.se/docs/CVE-2023-46219.html).
Are there any security notices related to CVE-2023-46219?
Yes, you can refer to the Ubuntu security notice USN-6535-1 (https://ubuntu.com/security/notices/USN-6535-1) for more information on the CVE-2023-46219 vulnerability.
- agent/type
- agent/author
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-46219
- agent/tags
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.84.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu