QwikSec

Security Database

CVE

CWE

Training

CVE-2023-28322

Published: May 26, 2023

Modified: Feb 13, 2026

PUBLISHED

Description

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Vendor	Product	Versions
n/a	https://github.com/curl/curl	affected `Fixed in 8.1.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1954658

FEDORA-2023-37eac50e9b

vendor-advisory

FEDORA-2023-8ed627bb04

vendor-advisory

https://security.netapp.com/advisory/ntap-20230609-0009/

https://support.apple.com/kb/HT213843

https://support.apple.com/kb/HT213844

https://support.apple.com/kb/HT213845

20230725 APPLE-SA-2023-07-24-6 macOS Big Sur 11.7.9

mailing-list

20230725 APPLE-SA-2023-07-24-5 macOS Monterey 12.6.8

mailing-list

20230725 APPLE-SA-2023-07-24-4 macOS Ventura 13.5

mailing-list

vendor-advisory

[debian-lts-announce] 20231222 [SECURITY] [DLA 3692-1] curl security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.