CVE-2023-28322

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.1.0

Description An information disclosure issue exists when doing HTTP(S) transfers, where libcurl might erroneously use the read callback (CURLOPT READFUNCTION) to ask for data to send, even when the CURLOPT POSTFIELDS option has been set. This occurs if the same handle previously was used to issue a PUT request which used that callback. The flaw may cause the application to misbehave, sending off the wrong data or using memory after free in the second transfer. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Recommendations For versions prior to 8.1.0, update to version 8.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the reuse of handles for PUT and POST requests, or disabling the CURLOPT READFUNCTION callback when switching from PUT to POST to minimize the risk of exploitation.