Detections
Analytics

Alpine: libcurl, multiple curl packages: security update to 8.5.0-r0

medium Tenable Cloud Security Plugin ID 423838

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more
 origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get
 sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in
 curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a
 cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though
 `co.uk` is listed as a PSL domain. (CVE-2023-46218)

 - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making
 subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-46218

https://security.alpinelinux.org/vuln/CVE-2023-46219

Plugin Details

Severity: Medium

ID: 423838

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-46218

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/7/2023

Reference Information

CVE: CVE-2023-46218, CVE-2023-46219

IAVA: 2023-A-0674-S