CVE-2023-23914

Vulnerability

A cleartext transmission of sensitive information vulnerability exists in curl versions prior to v7.88.0. The HSTS (HTTP Strict Transport Security) functionality fails to properly persist its state when multiple URLs are requested serially in a single command line invocation. This means that after an initial response instructs curl to downgrade to HTTPS, subsequent transfers on the same command line may incorrectly fall back to insecure HTTP, ignoring the HSTS policy [1].

Exploitation

An attacker with a network position capable of intercepting or redirecting HTTP traffic can exploit this behavior. The curl command must be used with HSTS enabled (e.g., via --hsts flag or configuration). When multiple URLs are passed on the same command line, the HSTS state from one response is not correctly carried over to the next request, causing curl to send the subsequent request over cleartext HTTP instead of the mandated HTTPS [1]. No authentication or additional privileges are required beyond the ability to perform a man-in-the-middle attack on the network path.

Impact

Successful exploitation leads to cleartext transmission of sensitive information that would otherwise be encrypted. This compromises confidentiality (C) and integrity (I) of the data exchanged, as an attacker can read or modify the HTTP traffic. The vulnerability undermines the HSTS protection, which is designed to prevent downgrade attacks [1].

Mitigation

Users should upgrade curl to version 7.88.0 or later. For Gentoo Linux systems, the fixed version is net-misc/curl-8.3.0-r2 or higher [1]. No workaround is available; upgrading is the only mitigation.