Cleartext Transmission of Sensitive Information Affecting curl package, versions <7.87.0-2ubuntu1


Severity

Recommended
low

Based on Ubuntu security rating

    Threat Intelligence

    EPSS
    0.07% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UBUNTU2304-CURL-5463849
  • published 15 Feb 2023
  • disclosed 23 Feb 2023

How to fix?

Upgrade Ubuntu:23.04 curl to version 7.87.0-2ubuntu1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:23.04 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

CVSS Scores

version 3.1
Expand this section

NVD

6.5 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

SUSE

7.4 high
Expand this section

Red Hat

4.2 medium