Search Issue Tracker

Fixed

Fixed in 2021.3.35f1, 2022.3.19f1, 2023.2.10f1, 2023.3.0b5, 7000.0.0a1

Votes

0

Found in

2021.3.33f1

2022.3.17f1

2023.2.5f1

2023.3.0b3

7000.0.0a1

Issue ID

UUM-60184

Regression

No

[Priority_NoRepro] Assessment of CVE-2023-46218

--

-

Creating this on behalf of a customer who has asked for an assessment of the following:
>> This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
[https://nvd.nist.gov/vuln/detail/CVE-2023-46218|https://nvd.nist.gov/vuln/detail/CVE-2023-46218]

Reviewing the Curl website, this issue is present in versions up to (and including) 8.4 and has been fixed in 8.5:
[https://curl.se/docs/CVE-2023-46218.html|https://curl.se/docs/CVE-2023-46218.html]

Please assign to WebRequest team

Note: No CQA testing was carried out.

Add comment

Log in to post comment

All about bugs

View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.