Monnerat

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.88.0 **Description** A cleartext transmission of sensitive information issue exists in curl that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, this HSTS mechanism fails when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS. **Recommendations** For versions prior to 7.88.0, update to version 7.88.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the `--parallel` option with HSTS-enabled transfers until a patch is available. Restrict access to sensitive information and avoid using HTTP-only transfers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** curl versions 7.33.0 through 7.82.0 **Description** An improper authentication issue exists, potentially allowing the reuse of OAUTH2-authenticated connections without ensuring the connection was authenticated with the same credentials as set for the transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S), and LDAP(S) (openldap only). The issue is related to how libcurl maintains a pool of live connections after a transfer has completed, which can lead to an authentication bypass if a connection is reused with different credentials. **Recommendations** For curl versions 7.33.0 through 7.82.0, consider disabling the reuse of OAUTH2-authenticated connections as a temporary workaround until a patch is available. Restrict access to SASL-enabled protocols to minimize the risk of exploitation. Avoid reusing connections authenticated with OAUTH2 bearers for different users or credentials. At the moment, there is no information about a newer version that contains a fix for this vulnerability.