CURL-CVE-2023-23915
- Source
- https://curl.se/docs/CVE-2023-23915.html
- Import Source
- https://curl.se/docs/CURL-CVE-2023-23915.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2023-23915
- Aliases
- Published
- 2023-02-15T08:00:00Z
- Modified
- 2025-05-15T17:48:29Z
- Summary
- HSTS amnesia with --parallel
- Details
-
curl's HSTS cache saving behaves wrongly when multiple URLs are requested in parallel.
Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer.
A later HTTP-only transfer to the earlier hostname would then not get upgraded properly to HSTS.
Reproducible like this:
curl --hsts hsts.txt --parallel https://curl.se https://example.comcurl --hsts hsts.txt http://curl.se
- Database specific
{ "issue": "https://hackerone.com/reports/1814333", "CWE": { "desc": "Cleartext Transmission of Sensitive Information", "id": "CWE-319" }, "award": { "currency": "USD", "amount": "480" }, "affects": "both", "www": "https://curl.se/docs/CVE-2023-23915.html", "last_affected": "7.87.0", "severity": "Low", "URL": "https://curl.se/docs/CVE-2023-23915.json", "package": "curl" }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.77.0Fixed7.88.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"82451440526091596190416680049711622192",
"202389981090709065853492774138138418959",
"31140244074829462660931570420898389375",
"250598913800445393542016912767607534971",
"225980906437672378224597453801340005734",
"90678634670407324789922817664574892219",
"122168756509406516429708106687686401106",
"135069773483626961641541264823665265961",
"298035261371194627355538744591329017010",
"16219853417824616242366911435238435270",
"162156050127606652250425047242673753557",
"169898101254020448180401279358881019051",
"175398258928310456522432454049699507402",
"86304266166675628394632614847565793402",
"238109732409054062520654253457137939865",
"340017270325253531196731198952677486443",
"91564265886334082202243613151815865332",
"213281136004135154119939850969425809157",
"45407483833966010252528014466682843549",
"32091259491261548615334281907325171883",
"315746684491214009378483121730886846564",
"264268795465841451357583040883813488553",
"263264310373130654979803015793962816501",
"246262560339677526027375859650567645393",
"9282827196930141182005985157246507407",
"336632632281577345657679019440345116148",
"263143953382413643679218282230011144281",
"334251979122196415400285159510242456133",
"229563070578915145181785639210110350682"
]
},
"target": {
"file": "lib/setopt.c"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-0356669c",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"81298516931518092722032620450036562805",
"131665174262377165205467487057408913532",
"146830524771089566113492699295957603241",
"121733846314682508574846201633963220974"
]
},
"target": {
"file": "lib/url.c"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-1c0a7a30",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"103372102345878776588641474089368209928",
"152067924783240037202787893167506770350",
"7746138722062160250244778802444877905",
"155009378828254279286090131001640317184"
]
},
"target": {
"file": "lib/urldata.h"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-1fe69110",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "78503270755360167760487452513681233828",
"length": 989.0
},
"target": {
"file": "lib/share.c",
"function": "curl_share_cleanup"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-27b27162",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"245712974534621529831993597344352142443",
"122923717408232090499260057437153371134",
"117225080125953929088609938998732711365",
"262710635254875236936328680400952254253"
]
},
"target": {
"file": "include/curl/curl.h"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-39096ace",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"265974011670274527010009946255328579611",
"231369669490237754826490051281733503338",
"90828035202475992188154012154888219754",
"17801975575738596479978457931667442819",
"83312106701310623811764343735100176467",
"185829385694448784730873035931717149963"
]
},
"target": {
"file": "lib/share.h"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-49af2d84",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"317737156888860158888180976184082947388",
"296772438286135597766018391408284568428",
"93863599463335824020144245231455699735",
"187440963696661346408659508771285993647",
"126541588144396179810650934492823781912"
]
},
"target": {
"file": "lib/hsts.c"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-55f18285",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"323284887027130569251074238736564148118",
"34687696054589859158880763057880021505",
"295830824979080249078878088056385764961",
"318545017166036224884146334275586543147"
]
},
"target": {
"file": "lib/hsts.h"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-5d8a9b1b",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "188099668725394989166685344047949408256",
"length": 3508.0
},
"target": {
"file": "lib/transfer.c",
"function": "Curl_pretransfer"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-88e21f12",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "87556514541982823078820041778802007757",
"length": 2321.0
},
"target": {
"file": "lib/share.c",
"function": "curl_share_setopt"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-91e6c0ee",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"4820130694093282531383537802642963820",
"330218359836502049093817216140070657199",
"16438427537648136967909612007949394277"
]
},
"target": {
"file": "lib/transfer.c"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-97f0bd88",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"245466321832339527116660896618474575717",
"38226126048150584580867928621410392582",
"242547863109362497744444513058980057783",
"70647329269378109194206434157514346725",
"136673927380771676907849843947125828259",
"145043333416790488336473315238986483130",
"277760925257594173381926824670891351887",
"136673927380771676907849843947125828259",
"145043333416790488336473315238986483130",
"315810932162440782704045016446781039486",
"179464127795319789708067166569152807361",
"320552856034564234648874916627478362387",
"104906062842268595740166511201528157654"
]
},
"target": {
"file": "lib/share.c"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-c50b64f2",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "51837919229063511304895451007570275438",
"length": 2700.0
},
"target": {
"file": "lib/url.c",
"function": "Curl_close"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-d8f84a95",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "212147244672599344668514893440215258735",
"length": 58864.0
},
"target": {
"file": "lib/setopt.c",
"function": "Curl_vsetopt"
},
"signature_version": "v1",
"id": "CURL-CVE-2023-23915-ffc11d95",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a"
}
]