A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
References
Link | Resource |
---|---|
https://hackerone.com/reports/1826048 | Not Applicable |
https://security.gentoo.org/glsa/202310-12 | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230309-0006/ | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
|
History
27 Mar 2024, 14:55
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* |
|
First Time |
Splunk
Splunk universal Forwarder |
20 Oct 2023, 18:57
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* cpe:2.3:a:netapp:clustered_data_ontap:9.0:-:*:*:*:*:*:* cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* |
|
References | (GENTOO) https://security.gentoo.org/glsa/202310-12 - Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20230309-0006/ - Third Party Advisory | |
First Time |
Netapp h700s Firmware
Netapp h700s Netapp h300s Netapp h410s Firmware Netapp h500s Firmware Netapp active Iq Unified Manager Netapp clustered Data Ontap Netapp h300s Firmware Netapp Netapp h410s Netapp h500s |
11 Oct 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Mar 2023, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
03 Mar 2023, 16:10
Type | Values Removed | Values Added |
---|---|---|
First Time |
Haxx curl
Haxx |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | CWE-319 | |
CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
References |
|
|
References | (MISC) https://hackerone.com/reports/1826048 - Not Applicable |
23 Feb 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-23 20:15
Updated : 2024-03-27 14:55
NVD link : CVE-2023-23915
Mitre link : CVE-2023-23915
CVE.ORG link : CVE-2023-23915
JSON object : View
Products Affected
netapp
- h700s_firmware
- h300s_firmware
- h500s
- h300s
- h410s
- h410s_firmware
- h500s_firmware
- active_iq_unified_manager
- clustered_data_ontap
- h700s
splunk
- universal_forwarder
haxx
- curl
CWE
CWE-319
Cleartext Transmission of Sensitive Information