Search for vulnerabilities
Vulnerability details: VCID-rpcy-cmfw-8ydm
Vulnerability ID VCID-rpcy-cmfw-8ydm
Aliases CVE-2023-46218
Summary This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-201 Insertion of Sensitive Information Into Sent Data
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
epss 0.00203 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00203 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00203 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00432 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
epss 0.00444 https://api.first.org/data/v1/epss?cve=CVE-2023-46218
cvssv3.1 Medium https://curl.se/docs/CVE-2023-46218.html
cvssv3.1 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
https://api.first.org/data/v1/epss?cve=CVE-2023-46218
https://curl.se/docs/CVE-2023-46218.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46218
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://hackerone.com/reports/2212193
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
https://security.netapp.com/advisory/ntap-20240125-0007/
https://www.debian.org/security/2023/dsa-5587
1057646 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057646
2252030 https://bugzilla.redhat.com/show_bug.cgi?id=2252030
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
CVE-2023-46218 https://nvd.nist.gov/vuln/detail/CVE-2023-46218
RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428
RHSA-2024:0434 https://access.redhat.com/errata/RHSA-2024:0434
RHSA-2024:0452 https://access.redhat.com/errata/RHSA-2024:0452
RHSA-2024:0585 https://access.redhat.com/errata/RHSA-2024:0585
RHSA-2024:1129 https://access.redhat.com/errata/RHSA-2024:1129
RHSA-2024:1316 https://access.redhat.com/errata/RHSA-2024:1316
RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
RHSA-2024:1383 https://access.redhat.com/errata/RHSA-2024:1383
RHSA-2024:1601 https://access.redhat.com/errata/RHSA-2024:1601
RHSA-2024:2092 https://access.redhat.com/errata/RHSA-2024:2092
RHSA-2024:2093 https://access.redhat.com/errata/RHSA-2024:2093
RHSA-2024:2094 https://access.redhat.com/errata/RHSA-2024:2094
USN-6535-1 https://usn.ubuntu.com/6535-1/
USN-6641-1 https://usn.ubuntu.com/6641-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46218.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46218
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.42905
EPSS Score 0.00203
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:29:14.256494+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.20/main.json 37.0.0