发布时间: 2023年3月25日
修改时间: 2024年11月30日
libcurl supports sharing HSTS data between separate handles . This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.INFO----This feature was not implemented to support sharing between threads. That is still left for future improvements. The fix for this issue is therefore a documentation update clarifying that sharing HSTS between threads is not expected to work.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | Low |
| Attack Vector | Network | Local |
| CVSS评分 | 5.9 | 5.8 |
| Attack Complexity | High | High |
| Privileges Required | None | Low |
| Scope | Unchanged | Unchanged |
| Integrity | None | Low |
| User Interaction | None | None |
| Availability | High | High |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2023-1225 | libcurl supports sharing HSTS data between separate handles . This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free.INFO----This feature was not implemented to support sharing between threads. That is still left for future improvements. The fix for this issue is therefore a documentation update clarifying that sharing HSTS between threads is not expected to work. | 2023年3月25日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | curl | Unaffected |
| KY3.4-5 | curl | Unaffected |
| KY3.5.1 | curl | Unaffected |
| KY3.5.2 | curl | Unaffected |
