{
  "document": {
    "aggregate_severity": {
      "text": "Low"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "TuxCare License Agreement",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://tuxcare.com/contact/",
      "name": "TuxCare",
      "namespace": "https://tuxcare.com/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2023/cve-2023-28322-els_os-rhel7els.json"
      }
    ],
    "tracking": {
      "current_release_date": "2026-06-13T02:53:52Z",
      "generator": {
        "date": "2026-06-13T02:53:52Z",
        "engine": {
          "name": "pyCSAF"
        }
      },
      "id": "CVE-2023-28322-ELS_OS-RHEL7ELS",
      "initial_release_date": "2023-05-26T21:15:00Z",
      "revision_history": [
        {
          "date": "2023-05-26T21:15:00Z",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-13T02:53:52Z",
          "number": "2",
          "summary": "Official Publication"
        }
      ],
      "status": "final",
      "version": "2"
    },
    "title": "Security update on CVE-2023-28322"
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux 7",
                "product": {
                  "name": "Red Hat Enterprise Linux 7",
                  "product_id": "Red-Hat-7",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                "product": {
                  "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/curl@7.29.0-59.0.3.el7_9.2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                "product": {
                  "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64",
                "product": {
                  "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
                "product": {
                  "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
                  "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
                "product": {
                  "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
                  "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          }
        ],
        "category": "vendor",
        "name": "Red Hat, Inc."
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                "product": {
                  "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/tuxcare/curl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                "product": {
                  "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                "product": {
                  "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                "product": {
                  "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                  "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                "product": {
                  "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                  "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          }
        ],
        "category": "vendor",
        "name": "TuxCare"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64"
        },
        "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64"
        },
        "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686"
        },
        "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686"
        },
        "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64"
        },
        "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64"
        },
        "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64"
        },
        "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64"
        },
        "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686"
        },
        "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
        "relates_to_product_reference": "Red-Hat-7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7",
          "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686"
        },
        "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
        "relates_to_product_reference": "Red-Hat-7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-28322",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "description",
          "text": "An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.",
          "title": "Vulnerability description"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "known_affected": [
          "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
          "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
          "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
          "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
          "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
          "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
          "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
          "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
          "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
          "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://cve.tuxcare.com/els/cve/CVE-2023-28322"
        },
        {
          "category": "external",
          "summary": "http://seclists.org/fulldisclosure/2023/Jul/47",
          "url": "http://seclists.org/fulldisclosure/2023/Jul/47"
        },
        {
          "category": "external",
          "summary": "http://seclists.org/fulldisclosure/2023/Jul/48",
          "url": "http://seclists.org/fulldisclosure/2023/Jul/48"
        },
        {
          "category": "external",
          "summary": "http://seclists.org/fulldisclosure/2023/Jul/52",
          "url": "http://seclists.org/fulldisclosure/2023/Jul/52"
        },
        {
          "category": "external",
          "summary": "https://hackerone.com/reports/1954658",
          "url": "https://hackerone.com/reports/1954658"
        },
        {
          "category": "external",
          "summary": "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html",
          "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html"
        },
        {
          "category": "external",
          "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/",
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/"
        },
        {
          "category": "external",
          "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/",
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/"
        },
        {
          "category": "external",
          "summary": "https://security.gentoo.org/glsa/202310-12",
          "url": "https://security.gentoo.org/glsa/202310-12"
        },
        {
          "category": "external",
          "summary": "https://security.netapp.com/advisory/ntap-20230609-0009/",
          "url": "https://security.netapp.com/advisory/ntap-20230609-0009/"
        },
        {
          "category": "external",
          "summary": "https://support.apple.com/kb/HT213843",
          "url": "https://support.apple.com/kb/HT213843"
        },
        {
          "category": "external",
          "summary": "https://support.apple.com/kb/HT213844",
          "url": "https://support.apple.com/kb/HT213844"
        },
        {
          "category": "external",
          "summary": "https://support.apple.com/kb/HT213845",
          "url": "https://support.apple.com/kb/HT213845"
        }
      ],
      "release_date": "2023-05-26T21:15:00Z",
      "remediations": [
        {
          "category": "no_fix_planned",
          "date": "2026-06-12T13:07:12.668872Z",
          "details": "CVE-2023-28322 only affects libcurl 7.7–8.0.1 and cannot be triggered by the curl command-line tool; it requires a very specific application pattern: reusing the same easy handle after a PUT that used CURLOPT_READFUNCTION, then doing a POST using only CURLOPT_POSTFIELDS without resetting the method. Because exploitation depends on this non-default, application-internal state transition rather than a network-triggerable flaw, practical risk in managed server/VM contexts is low. Impact is limited to potential information disclosure or unintended data being sent, with no integrity or availability effect.",
          "product_ids": [
            "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64",
            "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ]
    }
  ]
}