Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-28322
HistoryMay 17, 2023 - 12:00 a.m.

CVE-2023-28322

2023-05-1700:00:00
ubuntu.com
ubuntu.com
45
curl
vulnerability
http transfers
libcurl
read callback
data
misbehave
memory
put request
post request

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.8%

An information disclosure vulnerability exists in curl <v8.1.0 when doing
HTTP(S) transfers, libcurl might erroneously use the read callback
(CURLOPT_READFUNCTION) to ask for data to send, even when the
CURLOPT_POSTFIELDS option has been set, if the same handle previously
wasused to issue a PUT request which used that callback. This flaw may
surprise the application and cause it to misbehave and either send off the
wrong data or use memory after free or similar in the second transfer. The
problem exists in the logic for a reused handle when it is (expected to be)
changed from a PUT to a POST.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcurl<ย 7.58.0-2ubuntu3.24+esm1UNKNOWN
ubuntu20.04noarchcurl<ย 7.68.0-1ubuntu2.19UNKNOWN
ubuntu22.04noarchcurl<ย 7.81.0-1ubuntu1.11UNKNOWN
ubuntu22.10noarchcurl<ย 7.85.0-1ubuntu0.6UNKNOWN
ubuntu23.04noarchcurl<ย 7.88.1-8ubuntu2.1UNKNOWN
ubuntu23.10noarchcurl<ย 7.88.1-10ubuntu1UNKNOWN
ubuntu24.04noarchcurl<ย 7.88.1-10ubuntu1UNKNOWN
ubuntu14.04noarchcurl<ย 7.35.0-1ubuntu2.20+esm16UNKNOWN
ubuntu16.04noarchcurl<ย 7.47.0-1ubuntu2.19+esm9UNKNOWN

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

49.8%