CVE-2023-23915

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.88.0

Description A cleartext transmission of sensitive information issue exists in curl that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, this HSTS mechanism fails when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recently completed transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

Recommendations For versions prior to 7.88.0, update to version 7.88.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the --parallel option with HSTS-enabled transfers until a patch is available. Restrict access to sensitive information and avoid using HTTP-only transfers to minimize the risk of exploitation.