Cookie Domain Flaw in Curl Affects Multiple Platforms
CVE-2023-46218

6.5MEDIUM

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 7 December 2023

What is CVE-2023-46218?

This security vulnerability in curl allows a malicious HTTP server to exploit a flaw in how cookie domains are verified. Specifically, it permits the setting of 'super cookies' that may be sent back to a wider array of unrelated sites and domains than originally intended. The root cause stems from a mixed case flaw in curl's domain verification process with the Public Suffix List (PSL), allowing, for instance, a cookie with 'domain=co.UK' to be set when accessing a URL with a lower-case hostname such as 'curl.co.uk', even though 'co.uk' is recognized as a PSL domain. This behavior significantly undermines cookie security and user privacy across the web.

Affected Version(s)

curl 8.4.0

curl 7.46.0

References

https://hackerone.com/reports/2212193

https://curl.se/docs/CVE-2023-46218.html

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 7, 2023
Vulnerability Reserved
Oct 19, 2023