secure keyword for https://targethttp://target (same
hostname, but using clear text HTTP) using the same cookie setpath=/).
Since this site is not secure, the cookie should just be ignored.The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | RedHat | curl-0:7.61.1-34.el8_10.9 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | curl-0:7.76.1-14.el9_0.12 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | curl-0:7.76.1-23.el9_2.8 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | curl-0:7.76.1-29.el9_4.3 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | curl-0:7.76.1-31.el9_6.2 | * |
| Curl | Ubuntu | devel | * |
| Curl | Ubuntu | esm-infra-legacy/trusty | * |
| Curl | Ubuntu | esm-infra/bionic | * |
| Curl | Ubuntu | esm-infra/focal | * |
| Curl | Ubuntu | esm-infra/xenial | * |
| Curl | Ubuntu | jammy | * |
| Curl | Ubuntu | noble | * |
| Curl | Ubuntu | plucky | * |
| Curl | Ubuntu | questing | * |
| Curl | Ubuntu | upstream | * |