Strix
26.1K

CVE-2023-38546

LOWCVSS 3.7/10EPSS 6.21%

Last modified

CVE-2023-38546 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. EPSS estimates a 6.21% chance of exploitation in the next 30 days.

Description

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Metrics

CVSS 3.1
3.7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability
6.21%

92.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
HaxxLibcurl>= 7.9.1, < 8.4.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-38546?
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.
How severe is CVE-2023-38546?
CVE-2023-38546 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 6.21% probability of exploitation in the next 30 days.
How do I fix CVE-2023-38546?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-38546?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST