CVE-2023-46218 & CVE-2023-46219: Two Vulnerabilities Discovered in Curl

curl, a popular tool for transferring data from or to a server, has been found to harbor two vulnerabilities that could expose users to cookie hijacking and HSTS data loss. These vulnerabilities, collectively known as CVE-2023-46218 and CVE-2023-46219, affect a wide range of curl versions, making it imperative for users to take immediate action to mitigate the risks.

CVE-2023-46218

CVE-2023-46218: Cookie Mixed Case PSL Bypass

This vulnerability allows a malicious HTTP server to set “super cookies” in curl that are then passed back to more origins than what is otherwise allowed or possible. This could allow a site to set cookies that would then be sent to different and unrelated sites and domains.

Affected Versions:

  • curl 7.46.0 to and including 8.4.0
  • Not affected versions: curl < 7.46.0 and >= 8.5.0

CVE-2023-46219: HSTS Long File Name Clears Contents

This vulnerability could allow an attacker to clear the contents of a file that contains HSTS (HTTP Strict Transport Security) data. This could then cause curl to make requests to a site without using HTTPS, even if the site is supposed to use HTTPS.

Affected Versions:

  • curl 7.84.0 to and including 8.4.0
  • Not affected versions: curl < 7.84.0 and >= 8.5.0

Recommendations

All curl users are strongly recommended to upgrade to the latest version, curl 8.5.0, immediately. This version addresses both of the vulnerabilities described above.

If you are unable to upgrade to curl 8.5.0 immediately, you can apply the patches for these vulnerabilities to your local version of curl. However, this is not a long-term solution, and you should upgrade to curl 8.5.0 as soon as possible.

If you are unable or unwilling to upgrade or patch curl, you can mitigate the risk of these vulnerabilities by not using cookies or HSTS. However, this will disable some of the security features of curl, so it is not a recommended solution.