Vulnerability Details : CVE-2023-46219
Potential exploit
When saving HSTS data to an excessively long file name, curl could end up
removing all contents, making subsequent requests using that file unaware of
the HSTS status they should otherwise use.
Products affected by CVE-2023-46219
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-46219
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-46219
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2023-46219
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-46219
-
https://hackerone.com/reports/2236133
curl | Report #2236133 - CVE-2023-46219: HSTS long file name clears contents | HackerOneExploit;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20240119-0007/
CVE-2023-46219 curl Vulnerability in NetApp Products | NetApp Product Security
-
https://curl.se/docs/CVE-2023-46219.html
curl - HSTS long file name clears contents - CVE-2023-46219Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
[SECURITY] Fedora 38 Update: curl-8.0.1-6.fc38 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.debian.org/security/2023/dsa-5587
Debian -- Security Information -- DSA-5587-1 curl
Jump to