Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023058

Product

CVSS Score

Original Date

Last Revised

Supervyse

5.5

2023-09-12

Summary

curl: fopen race condition.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CVE-2023-32001
libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. An attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.

Solution Information

OPF RV 23.08 and after.
SPF RV 23.11 and after.

Acknowledgements

Revision History

Revision #

Date

Description

2023-09-12

Initial Release

< Back to Security Pledge