VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-b3n4-qjn2-x7dx

Essentials
Severities (22)
References (27)
Severity details (3)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-b3n4-qjn2-x7dx
Aliases	CVE-2023-28322
Summary	An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
Status	Published
Exploitability	0.5
Weighted Severity	3.3
Risk	1.6
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-440

Expected Behavior Violation

System	Score	Found at
cvssv3	3.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28322.json
epss	0.00388	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00388	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00388	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00502	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
epss	0.00516	https://api.first.org/data/v1/epss?cve=CVE-2023-28322
cvssv3.1	Low	https://curl.se/docs/CVE-2023-28322.html
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	3.7	https://nvd.nist.gov/vuln/detail/CVE-2023-28322

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28322.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-28322
		https://curl.se/docs/CVE-2023-28322.html
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://hackerone.com/reports/1954658
		https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
1036239		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239
2196793		https://bugzilla.redhat.com/show_bug.cgi?id=2196793
cpe:2.3:a:haxx:curl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:curl::::::::
cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
cpe:2.3:a:netapp:ontap_antivirus_connector:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:ontap_antivirus_connector:-:::::::*
cpe:2.3:o:apple:macos::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:macos::::::::
cpe:2.3:o:fedoraproject:fedora:37:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:::::::*
cpe:2.3:o:fedoraproject:fedora:38:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:38:::::::*
CVE-2023-28322		https://nvd.nist.gov/vuln/detail/CVE-2023-28322
RHSA-2023:4354		https://access.redhat.com/errata/RHSA-2023:4354
RHSA-2023:4628		https://access.redhat.com/errata/RHSA-2023:4628
RHSA-2023:4629		https://access.redhat.com/errata/RHSA-2023:4629
RHSA-2023:5598		https://access.redhat.com/errata/RHSA-2023:5598
RHSA-2024:0428		https://access.redhat.com/errata/RHSA-2024:0428
RHSA-2024:0585		https://access.redhat.com/errata/RHSA-2024:0585
RHSA-2024:1601		https://access.redhat.com/errata/RHSA-2024:1601
RHSA-2024:2092		https://access.redhat.com/errata/RHSA-2024:2092
RHSA-2024:2093		https://access.redhat.com/errata/RHSA-2024:2093
USN-6237-1		https://usn.ubuntu.com/6237-1/
USN-6237-3		https://usn.ubuntu.com/6237-3/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28322.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-28322

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.59311
EPSS Score	0.00388
Published At	Aug. 1, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:30:52.695102+00:00	Alpine Linux Importer	Import	https://secdb.alpinelinux.org/v3.21/main.json	37.0.0