CURL-CVE-2023-23914

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2023-23914.html
Import Source
https://curl.se/docs/CURL-CVE-2023-23914.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2023-23914
Aliases
Published
2023-02-15T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
HSTS ignored on multiple requests
Details

curl's HSTS functionality fail when multiple URLs are requested serially.

Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on.

Reproducible like this:

curl --hsts "" https://curl.se http://curl.se

The first URL returns HSTS information that the second URL fails to take advantage of.

References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.77.0
Fixed
7.88.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
7385610d0c74c6a254fea5e4cd6e1d559d848c8c
Fixed
076a2f629119222aeeb50f5a03bf9f9052fabb9a

Affected versions

7.*

7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0