Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-46218

Опубликовано: 07 дек. 2023
Источник: nvd
CVSS3: 6.5
EPSS Низкий

Описание

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Версия от 7.46.0 (включая) до 8.4.0 (включая)
Конфигурация 2
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

EPSS

Процентиль: 56%
0.00337
Низкий

6.5 Medium

CVSS3

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2023-46218

CVSS3: 6.5
ubuntu
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

redhat логотип

CVE-2023-46218

CVSS3: 5.3
redhat
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

msrc логотип

CVE-2023-46218

CVSS3: 6.5
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2023-46218

CVSS3: 6.5
debian
больше 1 года назад

This flaw allows a malicious HTTP server to set "super cookies" in cur ...

redos логотип

ROS-20240328-11

CVSS3: 6.5
redos
около 1 года назад

Уязвимость curl

EPSS

Процентиль: 56%
0.00337
Низкий

6.5 Medium

CVSS3

Дефекты

NVD-CWE-noinfo
Уязвимость CVE-2023-46218