| Summary | An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. |
|---|---|
| Publication Date | May 27, 2023, 6:15 a.m. |
| Registration Date | May 27, 2023, 10 a.m. |
| Last Update | Nov. 21, 2024, 4:54 p.m. |
| CVSS3.1 : LOW | |
| スコア | 3.7 |
|---|---|
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 高 |
| 攻撃に必要な特権レベル(PR) | 不要 |
| 利用者の関与(UI) | 不要 |
| 影響の想定範囲(S) | 変更なし |
| 機密性への影響(C) | 低 |
| 完全性への影響(I) | なし |
| 可用性への影響(A) | なし |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 8.1.0 | ||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | |||||
| cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* | |||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* | 13.0 | 13.5 | |||
| cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* | 12.0 | 12.6.8 | |||
| cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* | 11.0 | 11.7.9 | |||
| Configuration4 | or higher | or less | more than | less than | |
| cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:* | |||||
| cpe:2.3:a:netapp:ontap_antivirus_connector:-:*:*:*:*:*:*:* | |||||
| Configuration5 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:* | ||||
| Configuration6 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:* | ||||
| Configuration7 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:* | ||||
| Configuration8 | or higher | or less | more than | less than | |
| cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:* | ||||
| Title | Haxx の cURL 等複数ベンダの製品における脆弱性 |
|---|---|
| Summary | Haxx の cURL 等複数ベンダの製品には、不特定の脆弱性が存在します。 |
| Possible impacts | 情報を取得される可能性があります。 |
| Solution | ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。 |
| Publication Date | May 26, 2023, midnight |
| Registration Date | Dec. 27, 2023, 2:56 p.m. |
| Last Update | Dec. 15, 2025, 1:42 p.m. |
| アップル |
| macOS 11.0 以上 11.7.9 未満 |
| macOS 12.0 以上 12.6.8 未満 |
| macOS 13.0 以上 13.5 未満 |
| 日立 |
| EP8000 E1050 |
| EP8000 E980 |
| EP8000 S1014 |
| EP8000 S1024 |
| EP8000 S914 |
| EP8000 S924 |
| Fedora Project |
| Fedora 37 |
| Fedora 38 |
| Haxx |
| cURL 8.1.0 未満 |
| NetApp |
| H300S ファームウェア |
| H410S ファームウェア |
| H500S ファームウェア |
| H700S ファームウェア |
| ONTAP (旧 Clustered Data ONTAP) |
| ontap antivirus connector |
| No | Changed Details | Date of change |
|---|---|---|
| 3 | [2024年08月30日] 影響を受けるシステム:ベンダ情報の追加に伴い内容を更新 ベンダ情報:日立 (hitachi-sec-2024-212) を追加 |
Aug. 30, 2024, 5 p.m. |
| 1 | [2023年12月27日] 掲載 |
Dec. 27, 2023, 2:56 p.m. |
| 2 | [2024年02月20日] 参考情報:JVN (JVNVU#91198149) を追加 参考情報:ICS-CERT ADVISORY (ICSA-24-046-15) を追加 |
Feb. 20, 2024, 10:14 a.m. |
| 4 | [2025年12月15日] 参考情報:JVN (JVNVU#99514792) を追加 |
Dec. 15, 2025, 11:37 a.m. |