What is CVE-2023-38546?

CVE-2023-38546 is a low-severity vulnerability that allows an attacker to insert cookies into a running program using libcurl under specific conditions. This vulnerability affects libcurl versions from 7.9.1 to 8.3.0, and it impacts systems that use libcurl, which is utilized by many applications. Although the likelihood of exploitation is low, it's essential to stay informed and take necessary precautions to mitigate potential risks.

Who is impacted by CVE-2023-38546?

This issue allows an attacker to insert cookies into a running program under certain conditions. It's important to note that this vulnerability impacts a wide range of applications that utilize libcurl. If you're using an affected version of libcurl, it's essential to stay informed and take necessary precautions to mitigate potential risks.

What should I do if I’m affected?

If you're affected by the CVE-2023-38546 vulnerability, it's crucial to take action to protect your system. To mitigate the risk, follow these simple steps:

1. Upgrade to libcurl version 8.4.0 or apply the patch to your local version.

2. After every curl_easy_duphandle() call, add curl_easy_setopt(cloned_curl, CURLOPT_COOKIELIST, "ALL");.

3. Stay informed about security updates and apply them as needed.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2023-38546 vulnerability, also known as "cookie injection with none file," is not listed in CISA's Known Exploited Vulnerabilities Catalog.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-Insufficient Information, indicating a lack of specific details about the vulnerability and its mitigation.

Learn More

For a comprehensive understanding of this vulnerability, including its description, severity, technical details, and known affected software configurations, visit the NVD page or refer to the sources listed below.

• Apple Product Security via Fulldisclosure

• w0x42