more POST-after-PUT confusion

2023-05-1708:00:00

Google

osv.dev

libcurl

http(s) transfers

curlopt_readfunction

curlopt_postfields

put

post

software

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

5.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.2%

JSON

When doing HTTP(S) transfers, libcurl might erroneously use the read callback
(CURLOPT_READFUNCTION) to ask for data to send, even when the
CURLOPT_POSTFIELDS option has been set, if the same handle previously was
used to issue a PUT request which used that callback.

This flaw may surprise the application and cause it to misbehave and either
send off the wrong data or use memory after free or similar in the second
transfer.

The problem exists in the logic for a reused handle when it is (expected to
be) changed from a PUT to a POST.

CPENameOperatorVersion
curl.giteq7.13.1
curl.giteq7.22.0
curl.giteq7.76.1
curl.giteq7.56.1
curl.giteq7.21.3
curl.giteq7.19.5
curl.giteq7.61.1
curl.giteq7.20.1
curl.giteq7.16.0
curl.giteq7.34.0

Name	Operator	Version
curl.git	eq	7.13.1
curl.git	eq	7.22.0
curl.git	eq	7.76.1
curl.git	eq	7.56.1
curl.git	eq	7.21.3
curl.git	eq	7.19.5
curl.git	eq	7.61.1
curl.git	eq	7.20.1
curl.git	eq	7.16.0
curl.git	eq	7.34.0