Search Issue Tracker
Fixed
Fixed in 2021.3.35f1, 2022.3.19f1, 2023.2.10f1, 2023.3.0b5, 2024.1.0a1
Votes
0
Found in
2021.3.33f1
2022.3.17f1
2023.2.5f1
2023.3.0b3
2024.1.0a1
Issue ID
UUM-60184
Regression
No
[Priority_NoRepro] Assessment of CVE-2023-46218
Creating this on behalf of a customer who has asked for an assessment of the following:
>> This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
[https://nvd.nist.gov/vuln/detail/CVE-2023-46218|https://nvd.nist.gov/vuln/detail/CVE-2023-46218]
Reviewing the Curl website, this issue is present in versions up to (and including) 8.4 and has been fixed in 8.5:
[https://curl.se/docs/CVE-2023-46218.html|https://curl.se/docs/CVE-2023-46218.html]
Please assign to WebRequest team
Note: No CQA testing was carried out.
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- “[Worker0] Could not generate preview image“ error when opening macOS native plugin in the Inspector with Architecture to build for set to ARM 64-bit
- [iOS] Application.absoluteURL is empty on Awake/Start when opening via deep link with Splash Screen disabled
- Crash on MemoryManager::Deallocate when rapidly calling Addressables.LoadAssetAsync
- Crash on physx::shdfnd::atomicIncrement when adjusting values on a character controller component after entering Play mode in Prefab edit mode
- [Rendering Debugger] [NewInputSystem] Debug Overlays in Play mode throws InvalidOperationException when using New Input System
Add comment