{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/cloudlinux7els/vex/2023/cve-2023-38546-els_os-cloudlinux7els.json" } ], "tracking": { "current_release_date": "2026-06-12T21:52:11Z", "generator": { "date": "2026-06-12T21:52:11Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-38546-ELS_OS-CLOUDLINUX7ELS", "initial_release_date": "2023-10-18T04:15:00Z", "revision_history": [ { "date": "2023-10-18T04:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-12T21:52:11Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2023-38546" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "CloudLinux 7", "product": { "name": "CloudLinux 7", "product_id": "CloudLinux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:cloudlinux:cloudlinux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "CloudLinux" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/curl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl@7.29.0-59.0.3.el7_9.2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/curl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "CloudLinux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-38546", "notes": [ { "category": "description", "text": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-38546" }, { "category": "external", "summary": "http://seclists.org/fulldisclosure/2024/Jan/34", "url": "http://seclists.org/fulldisclosure/2024/Jan/34" }, { "category": "external", "summary": "http://seclists.org/fulldisclosure/2024/Jan/37", "url": "http://seclists.org/fulldisclosure/2024/Jan/37" }, { "category": "external", "summary": "http://seclists.org/fulldisclosure/2024/Jan/38", "url": "http://seclists.org/fulldisclosure/2024/Jan/38" }, { "category": "external", "summary": "https://curl.se/docs/CVE-2023-38546.html", "url": "https://curl.se/docs/CVE-2023-38546.html" }, { "category": "external", "summary": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868", "url": "https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/" }, { "category": "external", "summary": "https://support.apple.com/kb/HT214036", "url": "https://support.apple.com/kb/HT214036" }, { "category": "external", "summary": "https://support.apple.com/kb/HT214057", "url": "https://support.apple.com/kb/HT214057" }, { "category": "external", "summary": "https://support.apple.com/kb/HT214058", "url": "https://support.apple.com/kb/HT214058" }, { "category": "external", "summary": "https://support.apple.com/kb/HT214063", "url": "https://support.apple.com/kb/HT214063" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html", "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/html/ssa-093430.html", "url": "https://cert-portal.siemens.com/productcert/html/ssa-093430.html" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html", "url": "https://cert-portal.siemens.com/productcert/html/ssa-832273.html" }, { "category": "external", "summary": "https://cert-portal.siemens.com/productcert/html/ssa-943925.html", "url": "https://cert-portal.siemens.com/productcert/html/ssa-943925.html" } ], "release_date": "2023-10-18T04:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-12T13:07:19.313225Z", "details": "This vulnerability only triggers when an application uses curl_easy_duphandle on a handle with cookies enabled and not sourced from a file, and a correctly formatted cookie jar named \"none\" exists and is readable in the process’s current working directory—conditions that typically require the attacker to have local filesystem write access to that directory. It does not affect the curl command-line tool and only allows manipulation of outgoing cookies for that process, with no code execution, no confidentiality impact, and limited integrity effect. Given the high attack complexity, precise non-default preconditions, and narrow impact, this can be safely deprioritized in centrally managed VM/server environments.", "product_ids": [ "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "CloudLinux-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }