cookie mixed case PSL bypass

2023-12-0608:00:00

Google

osv.dev

flaw

curl

super cookies

psl

verification

unrelated domains

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.0%

JSON

This flaw allows a malicious HTTP server to set “super cookies” in curl that
are then passed back to more origins than what is otherwise allowed or
possible. This allows a site to set cookies that then would get sent to
different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl’s function that
verifies a given cookie domain against the Public Suffix List (PSL). For
example a cookie could be set with domain=co.UK when the URL used a
lowercase hostname curl.co.uk, even though co.uk is listed as a PSL
domain.

CPENameOperatorVersion
curl.giteq7.88.1
curl.giteq7.49.0
curl.giteq7.76.1
curl.giteq7.56.1
curl.giteq7.54.0
curl.giteq7.76.0
curl.giteq7.61.1
curl.giteq7.81.0
curl.giteq7.60.0
curl.giteq7.52.0

Name	Operator	Version
curl.git	eq	7.88.1
curl.git	eq	7.49.0
curl.git	eq	7.76.1
curl.git	eq	7.56.1
curl.git	eq	7.54.0
curl.git	eq	7.76.0
curl.git	eq	7.61.1
curl.git	eq	7.81.0
curl.git	eq	7.60.0
curl.git	eq	7.52.0