Search for vulnerabilities
Vulnerability details: VCID-pjd5-rdfe-aaak
Vulnerability ID VCID-pjd5-rdfe-aaak
Aliases CVE-2023-46218
Summary This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-201 Insertion of Sensitive Information Into Sent Data
System Score Found at
cvssv3.1 6.5 https://access.redhat.com/errata/RHSA-2024:2094
ssvc Track https://access.redhat.com/errata/RHSA-2024:2094
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
epss 0.00071 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00097 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00102 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00102 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00102 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00122 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00241 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00248 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00327 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00337 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00419 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00436 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.01415 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
cvssv3.1 Medium https://curl.se/docs/CVE-2023-46218.html
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 6.5 https://nvd.nist.gov/vuln/detail/CVE-2023-46218
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
https://api.first.org/data/v1/epss?cve=CVE-2023-46218
https://curl.se/docs/CVE-2023-46218.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46218
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2212193
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
https://security.netapp.com/advisory/ntap-20240125-0007/
https://www.debian.org/security/2023/dsa-5587
1057646 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057646
2252030 https://bugzilla.redhat.com/show_bug.cgi?id=2252030
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-46218 https://nvd.nist.gov/vuln/detail/CVE-2023-46218
GLSA-202409-20 https://security.gentoo.org/glsa/202409-20
RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428
RHSA-2024:0434 https://access.redhat.com/errata/RHSA-2024:0434
RHSA-2024:0452 https://access.redhat.com/errata/RHSA-2024:0452
RHSA-2024:0585 https://access.redhat.com/errata/RHSA-2024:0585
RHSA-2024:1129 https://access.redhat.com/errata/RHSA-2024:1129
RHSA-2024:1383 https://access.redhat.com/errata/RHSA-2024:1383
RHSA-2024:1601 https://access.redhat.com/errata/RHSA-2024:1601
RHSA-2024:2092 https://access.redhat.com/errata/RHSA-2024:2092
RHSA-2024:2093 https://access.redhat.com/errata/RHSA-2024:2093
RHSA-2024:2094 https://access.redhat.com/errata/RHSA-2024:2094
USN-6535-1 https://usn.ubuntu.com/6535-1/
USN-6641-1 https://usn.ubuntu.com/6641-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2024:2094
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-08T17:12:36Z/ Found at https://access.redhat.com/errata/RHSA-2024:2094
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.32172
EPSS Score 0.00071
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-01-03T17:13:34.596463+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2023-46218 34.0.0rc1