Search for vulnerabilities
Vulnerability details: VCID-f7g4-7gzn-gfhm
Vulnerability ID VCID-f7g4-7gzn-gfhm
Aliases CVE-2023-23915
Summary A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-319 Cleartext Transmission of Sensitive Information
System Score Found at
cvssv3 4.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23915.json
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00021 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
epss 0.00054 https://api.first.org/data/v1/epss?cve=CVE-2023-23915
cvssv3.1 Low https://curl.se/docs/CVE-2023-23915.html
cvssv3.1 7.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2023-23915
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23915.json
https://api.first.org/data/v1/epss?cve=CVE-2023-23915
https://curl.se/docs/CVE-2023-23915.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23915
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/1814333
1031371 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031371
2167813 https://bugzilla.redhat.com/show_bug.cgi?id=2167813
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:clustered_data_ontap:9.0:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:clustered_data_ontap:9.0:-:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*
CVE-2023-23915 https://nvd.nist.gov/vuln/detail/CVE-2023-23915
USN-5891-1 https://usn.ubuntu.com/5891-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23915.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23915
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03868
EPSS Score 0.00021
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:41:26.464727+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.21/main.json 37.0.0