CVE-2023-38546

curl: cookie injection with none file

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

This flaw allows an attacker to insert cookies at will into a running program
using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles"
that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called
[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).

If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific file on
disk, the cloned version of the handle would instead store the file name as
`none` (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to
load cookies from would then inadvertently load cookies from a file named
`none` - if such a file exists and is readable in the current directory of the
program using libcurl. And if using the correct file format of course.

Esta falla permite a un atacante insertar cookies a voluntad en un programa en ejecución usando libcurl, si se cumple una serie específica de condiciones. libcurl realiza transferencias. En su API, una aplicación crea "easy handles" que son identificadores individuales para transferencias individuales. libcurl proporciona una llamada de función que duplica un identificador sencillo llamado [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). Si una transferencia tiene cookies habilitadas cuando el identificador está duplicado, el estado de habilitación de cookies también se clona, pero sin clonar las cookies reales. Si el identificador de origen no leyó ninguna cookie de un archivo específico en el disco, la versión clonada del identificador almacenaría el nombre del archivo como "none" (usando las cuatro letras ASCII, sin comillas). El uso posterior del identificador clonado que no establece explícitamente una fuente desde la cual cargar cookies cargaría inadvertidamente cookies desde un archivo llamado "none", si dicho archivo existe y es legible en el directorio actual del programa usando libcurl. Y si utiliza el formato de archivo correcto, por supuesto.

A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met.

*Credits: N/A

CVSS Scores

NISTv3.1 3.7

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-07-20 CVE Reserved
2023-10-11 CVE Published
2024-09-13 CVE Updated
2024-11-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-73: External Control of File Name or Path

CAPEC

References (12)

URL	Tag	Source
http://seclists.org/fulldisclosure/2024/Jan/34
http://seclists.org/fulldisclosure/2024/Jan/37
http://seclists.org/fulldisclosure/2024/Jan/38
https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ
https://support.apple.com/kb/HT214036
https://support.apple.com/kb/HT214057
https://support.apple.com/kb/HT214058
https://support.apple.com/kb/HT214063

URL	Date	SRC

URL	Date	SRC
https://curl.se/docs/CVE-2023-38546.html	2024-07-09

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-38546	2024-04-29
https://bugzilla.redhat.com/show_bug.cgi?id=2241938	2024-04-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Haxx Search vendor "Haxx"		Libcurl Search vendor "Haxx" for product "Libcurl"				>= 7.9.1 < 8.4.0 Search vendor "Haxx" for product "Libcurl" and version " >= 7.9.1 < 8.4.0"		-		Affected