CVE-2023-23915: HSTS amnesia with --parallel

Disclosed: 2023-02-15 09:06:04 By nyymi To curl
Low
Vulnerability Details
## Summary: curl overwrites HSTS cache entries if requests are performed in parallel. ## Steps To Reproduce: 1. `curl --parallel --hsts hsts.txt https://site1.tld https://site2.tld https://site3.tld` Only one of the sites contacted will have entry in `hsts.txt` afterwards. Non-TLS connection to the other sites will not protected by TLS. ## Impact Request performed over insecure channels unexpectedly and loss of confidentiality and integrity.
Actions
View on HackerOne
Report Stats
  • Report ID: 1814333
  • State: Closed
  • Substate: resolved
  • Upvotes: 7
Share this report