CVE Vulnerabilities


Published: May 26, 2023 | Modified: Dec 22, 2023
CVSS 3.x
CVSS 2.x
3.7 LOW

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Affected Software

Name Vendor Start Version End Version
Curl Haxx * 8.1.0 (excluding)
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-curl-0:8.2.1-1.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-curl-0:8.2.1-1.el7jbcs *
Red Hat Enterprise Linux 8 RedHat curl-0:7.61.1-33.el8_9.5 *
Red Hat Enterprise Linux 8.6 Extended Update Support RedHat curl-0:7.61.1-22.el8_6.12 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat curl-0:7.61.1-30.el8_8.9 *
Red Hat Enterprise Linux 9 RedHat curl-0:7.76.1-23.el9_2.2 *
Red Hat Enterprise Linux 9 RedHat curl-0:7.76.1-23.el9_2.2 *
Red Hat Enterprise Linux 9.0 Extended Update Support RedHat curl-0:7.76.1-14.el9_0.7 *
Red Hat JBoss Core Services 1 RedHat curl *
Curl Ubuntu bionic *
Curl Ubuntu devel *
Curl Ubuntu esm-infra/bionic *
Curl Ubuntu esm-infra/xenial *
Curl Ubuntu focal *
Curl Ubuntu jammy *
Curl Ubuntu kinetic *
Curl Ubuntu lunar *
Curl Ubuntu mantic *
Curl Ubuntu noble *
Curl Ubuntu trusty *
Curl Ubuntu trusty/esm *
Curl Ubuntu upstream *
Curl Ubuntu xenial *