Insyde Security Advisory 2023058

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023058 Software CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 5.5 09/12/2023 09/12/2023

Summary:

curl: fopen race condition.

Vulnerability Details:

CVE-2023-32001
libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. An attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.

Solution Information:
OPF RV 23.08 and after.
SPF RV 23.11 and after.

Revision History:

Revision Date Description
1.0 09/12/2023 Initial Release
-- -- --

Return to Insyde's Security Pledge