Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-46218

Опубликовано: 07 дек. 2023
Источник: debian
EPSS Низкий

Описание

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
curlfixed8.5.0-1package

Примечания

  • Introduced by: https://github.com/curl/curl/commit/e77b5b7453c1e8ccd7ec0816890d98e2f392e465 (curl-7_46_0)

  • Fixed by: https://github.com/curl/curl/commit/2b0994c29a721c91c572cff7808c572a24d251eb (curl-8_5_0)

  • https://curl.se/docs/CVE-2023-46218.html

EPSS

Процентиль: 56%
0.00337
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2023-46218

CVSS3: 6.5
ubuntu
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

redhat логотип

CVE-2023-46218

CVSS3: 5.3
redhat
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

nvd логотип

CVE-2023-46218

CVSS3: 6.5
nvd
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

msrc логотип

CVE-2023-46218

CVSS3: 6.5
msrc
больше 1 года назад

Описание отсутствует

redos логотип

ROS-20240328-11

CVSS3: 6.5
redos
около 1 года назад

Уязвимость curl

EPSS

Процентиль: 56%
0.00337
Низкий