CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
30.8%
curl’s HSTS cache saving behaves wrongly when multiple URLs are requested in
parallel.
Using its HSTS support, curl can be instructed to use HTTPS instead of using
an insecure clear-text HTTP step even when HTTP is provided in the URL. This
HSTS mechanism would however surprisingly fail when multiple transfers are done
in parallel as the HSTS cache file gets overwritten by the most recently
completed transfer.
A later HTTP-only transfer to the earlier hostname would then not get
upgraded properly to HSTS.
Reproducible like this:
curl --hsts hsts.txt --parallel https://curl.se https://example.com
curl --hsts hsts.txt http://curl.se
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
30.8%