Описание
This flaw allows an attacker to insert cookies at will into a running program
using libcurl, if the specific series of conditions are met.
libcurl performs transfers. In its API, an application creates "easy handles"
that are the individual handles for single transfers.
libcurl provides a function call that duplicates en easy handle called
curl_easy_duphandle.
If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific file on
disk, the cloned version of the handle would instead store the file name as
none (using the four ASCII letters, no quotes).
Subsequent use of the cloned handle that does not explicitly set a source to
load cookies from would then inadvertently load cookies from a file named
none - if such a file exists and is readable in the current directory of the
program using libcurl. And if using the correct file format of course.
A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met.
Отчет
The flaw requires a series of conditions to be met and the likeliness that they shall allow an attacker to take advantage of it is low. Even if the bug could be made to trigger, the risk that a cookie injection can be done to cause harm is additionally also low. The updated puppet-client has been released and consumed in downstream packages. This includes RH Satellite.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| .NET 6.0 on Red Hat Enterprise Linux | rh-dotnet60 | Out of support scope | ||
| Red Hat Enterprise Linux 6 | curl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | curl | Out of support scope | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-curl | Fixed | RHSA-2023:7625 | 07.12.2023 |
| JBoss Core Services on RHEL 7 | jbcs-httpd24-curl | Fixed | RHSA-2023:7625 | 07.12.2023 |
| Red Hat Enterprise Linux 8 | curl | Fixed | RHSA-2024:1601 | 02.04.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | curl | Fixed | RHSA-2023:6292 | 02.11.2023 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | curl | Fixed | RHSA-2023:7540 | 28.11.2023 |
| Red Hat Enterprise Linux 9 | curl | Fixed | RHSA-2023:5763 | 17.10.2023 |
| Red Hat Enterprise Linux 9 | curl | Fixed | RHSA-2023:6745 | 07.11.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program ...
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program
This flaw allows an attacker to insert cookies at will into a running ...
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the prog...
EPSS
3.7 Low
CVSS3