CVE-2023-28322

medium

Published 2023-08-01 · Modified 2024-04-02

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2023-28322 NameCVE-2023-28322 DescriptionAn information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may…

CVE-2023-28322

Name	CVE-2023-28322
Description	An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3692-1
Debian Bugs	1036239

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u16	fixed
	bookworm	7.88.1-10+deb12u14	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	trixie	8.14.1-2+deb13u3	fixed
	forky	8.20.0-2	fixed
	sid	8.20.0-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
curl	source	buster	7.64.0-4+deb10u8	DLA-3692-1
curl	source	bullseye	7.74.0-1.3+deb11u9
curl	source	(unstable)	7.88.1-10		1036239

Notes

https://curl.se/docs/CVE-2023-28322.html
Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7)
Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://curl.se/docs/CVE-2023-28322.htmlIntroduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7)Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0)

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`7.88.1-10`
sid	Fixed	`7.88.1-10`
forky	Fixed	`7.88.1-10`
bullseye	Fixed	`7.74.0-1.3+deb11u9`
bookworm	Fixed	`7.88.1-10`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.