{"id":"CURL-CVE-2023-38546","summary":"cookie injection with none file","details":"This flaw allows an attacker to intentionally inject cookies into a running\nprogram using libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates an easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the filename as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl, when using the correct file format of course.","aliases":["CVE-2023-38546"],"modified":"2024-09-11T06:12:53.417342Z","published":"2023-10-11T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/2148242","award":{"currency":"USD","amount":"540"},"severity":"Low","affects":"lib","www":"https://curl.se/docs/CVE-2023-38546.html","CWE":{"desc":"External Control of filename or Path","id":"CWE-73"},"package":"curl","URL":"https://curl.se/docs/CVE-2023-38546.json","last_affected":"8.3.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.9.1"},{"fixed":"8.4.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"74d5a6fb3b9a96d9fa51ba90996e94c878ebd151"},{"fixed":"61275672b46d9abb3285740467b882e22ed75da8"}]}],"versions":["8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","target":{"file":"lib/easy.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"line_hashes":["199136241671650652511274930252986256045","42665996665169304734882484698486354698","4405662191663126453747164771707479671","172985393652176184364339079340623531722","186503211875549610679090051118793295636","178260927132712115800898514182779878249"],"threshold":0.9},"deprecated":false,"id":"CURL-CVE-2023-38546-1ce2624e","signature_version":"v1"},{"signature_type":"Function","target":{"function":"Curl_cookie_init","file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":1326,"function_hash":"188971747952371706096963993839954570311"},"deprecated":false,"id":"CURL-CVE-2023-38546-2cd36be3","signature_version":"v1"},{"signature_type":"Function","target":{"function":"dup_cookie","file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":573,"function_hash":"235524769109963777220456287689686308957"},"deprecated":false,"id":"CURL-CVE-2023-38546-30128877","signature_version":"v1"},{"signature_type":"Line","target":{"file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"line_hashes":["11646953340434640017618853052087348186","169581628017345762767363363332763990110","156199889676793821112406664707093780669","73203174095020027545703459114407343754","299115763395977645565934524490915256238","55744630793299518979277365916623994387","304170868349100621423182801158474608310","207848190215452905887938573908567185121","119595957797779563473285294592821427767","324553776354522457928145933274234757672","130574802191916525691726113787983057215","210543757934925512014912210824126674253","318961669295859471332509689457274987217","103949081372521712320033159823630730396","11840340143740502548987839498421521164","243479160105690137142161276830660957332","168916195885212224501304508281965024815","51341235249050544170214798611694244283","8222427579438070667674552911247956814","70544278682875687590475380751306928403","46871534868972407439819102786723545186","296489185988184083439638823731243848839","62466582239292976560138521216414213975","331229538542176061814656164965154752191","338553498093831417549868365887811948241","178667821790575351649232261943785220013","73347553779081639988982770964246883579","36052083293354905962274017801936831849","69793888898150932330740411393340649360","115979691827844080868778241709148890378"],"threshold":0.9},"deprecated":false,"id":"CURL-CVE-2023-38546-4fb006f0","signature_version":"v1"},{"signature_type":"Function","target":{"function":"curl_easy_duphandle","file":"lib/easy.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":2994,"function_hash":"96066601292136457682791615795610017253"},"deprecated":false,"id":"CURL-CVE-2023-38546-5d4e9eea","signature_version":"v1"},{"signature_type":"Line","target":{"file":"lib/cookie.h"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"line_hashes":["182686644011925034525981872846039779227","257299329565571297702715617728822593192","186755766494231735831609692938683755822","328239138349289546573619567297074486135","295074425431803080956085555371588743841","271649910238244438731991493118707536732","171744273663144709776752309349000894549","132610875530158427994913623237276753225","224724457484643854517064872015608723021","76881436190947214791911161485545110781","312570986722605685295183143779037658468","54198428815954965674585211158913249665","21918730241718093690520680105754428807","330478155460803476623017979707845229507","319990965525942506699335375935194533643","257040997033756347215855998668153623646"],"threshold":0.9},"deprecated":false,"id":"CURL-CVE-2023-38546-63c05dc3","signature_version":"v1"},{"signature_type":"Function","target":{"function":"Curl_cookie_cleanup","file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":218,"function_hash":"204047718523402923667618614377739542243"},"deprecated":false,"id":"CURL-CVE-2023-38546-c06f6062","signature_version":"v1"},{"signature_type":"Function","target":{"function":"freecookie","file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":310,"function_hash":"183150937645941223601356388707303686870"},"deprecated":false,"id":"CURL-CVE-2023-38546-d531729c","signature_version":"v1"},{"signature_type":"Function","target":{"function":"Curl_cookie_add","file":"lib/cookie.c"},"source":"https://github.com/curl/curl.git/commit/61275672b46d9abb3285740467b882e22ed75da8","digest":{"length":10474,"function_hash":"168652081337855537874021364294213475037"},"deprecated":false,"id":"CURL-CVE-2023-38546-f1c53ad8","signature_version":"v1"}],"source":"https://curl.se/docs/CURL-CVE-2023-38546.json"}}],"schema_version":"1.7.3","credits":[{"name":"w0x42 on hackerone","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}