{"id":"CVE-2023-38546","details":"This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.","aliases":["CURL-CVE-2023-38546"],"modified":"2026-04-16T08:42:39.361819Z","published":"2023-10-18T04:15:11.137Z","related":["ALSA-2023:5763","ALSA-2023:6745","ALSA-2024:1601","CGA-3355-4hp2-cxv4","SUSE-SU-2023:4043-1","SUSE-SU-2023:4044-1","SUSE-SU-2023:4045-1","SUSE-SU-2023:4650-1","USN-6429-3","openSUSE-SU-2024:13325-1"],"references":[{"type":"WEB","url":"https://forum.vmssoftware.com/viewtopic.php?f=8&t=8868"},{"type":"WEB","url":"https://support.apple.com/kb/HT214058"},{"type":"WEB","url":"https://support.apple.com/kb/HT214063"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/37"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/"},{"type":"WEB","url":"https://support.apple.com/kb/HT214036"},{"type":"WEB","url":"https://support.apple.com/kb/HT214057"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/34"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/38"},{"type":"FIX","url":"https://curl.se/docs/CVE-2023-38546.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"329bcf3a7117c7e5c26d7c8f840af64fb7140753"},{"fixed":"172e54cda18412da73fd8eb4e444e8a5b371ca59"}],"database_specific":{"versions":[{"introduced":"7.9.1"},{"fixed":"8.4.0"}]}}],"versions":["before_ftp_statemachine","curl-7_10","curl-7_10_1","curl-7_10_2","curl-7_10_3","curl-7_10_4","curl-7_10_5","curl-7_10_6","curl-7_10_7","curl-7_10_8","curl-7_11_0","curl-7_11_1","curl-7_11_2","curl-7_12_0","curl-7_12_1","curl-7_12_2","curl-7_12_3","curl-7_13_0","curl-7_13_1","curl-7_13_2","curl-7_14_0","curl-7_14_1","curl-7_15_0","curl-7_15_1","curl-7_15_2","curl-7_15_3","curl-7_15_4","curl-7_15_5","curl-7_15_6-prepipeline","curl-7_16_0","curl-7_16_1","curl-7_16_2","curl-7_16_3","curl-7_16_4","curl-7_17_0","curl-7_17_0-preldapfix","curl-7_17_1","curl-7_18_0","curl-7_18_1","curl-7_18_2","curl-7_19_0","curl-7_19_1","curl-7_19_2","curl-7_19_3","curl-7_19_4","curl-7_19_5","curl-7_19_6","curl-7_19_7","curl-7_20_0","curl-7_20_1","curl-7_21_0","curl-7_21_1","curl-7_21_2","curl-7_21_3","curl-7_21_4","curl-7_21_5","curl-7_21_6","curl-7_21_7","curl-7_22_0","curl-7_23_0","curl-7_23_1","curl-7_25_0","curl-7_26_0","curl-7_27_0","curl-7_28_0","curl-7_28_1","curl-7_29_0","curl-7_30_0","curl-7_31_0","curl-7_32_0","curl-7_33_0","curl-7_34_0","curl-7_35_0","curl-7_36_0","curl-7_37_0","curl-7_37_1","curl-7_38_0","curl-7_39_0","curl-7_40_0","curl-7_41_0","curl-7_42_0","curl-7_43_0","curl-7_44_0","curl-7_45_0","curl-7_46_0","curl-7_47_0","curl-7_47_1","curl-7_48_0","curl-7_49_0","curl-7_49_1","curl-7_50_0","curl-7_50_1","curl-7_50_2","curl-7_50_3","curl-7_51_0","curl-7_52_0","curl-7_52_1","curl-7_53_0","curl-7_53_1","curl-7_54_0","curl-7_54_1","curl-7_55_0","curl-7_55_1","curl-7_56_0","curl-7_56_1","curl-7_57_0","curl-7_58_0","curl-7_59_0","curl-7_60_0","curl-7_61_0","curl-7_61_1","curl-7_62_0","curl-7_63_0","curl-7_64_0","curl-7_64_1","curl-7_65_0","curl-7_65_1","curl-7_65_2","curl-7_65_3","curl-7_66_0","curl-7_67_0","curl-7_68_0","curl-7_69_0","curl-7_69_1","curl-7_70_0","curl-7_71_0","curl-7_71_1","curl-7_72_0","curl-7_73_0","curl-7_74_0","curl-7_75_0","curl-7_76_0","curl-7_76_1","curl-7_77_0","curl-7_78_0","curl-7_79_0","curl-7_79_1","curl-7_80_0","curl-7_81_0","curl-7_82_0","curl-7_83_0","curl-7_83_1","curl-7_84_0","curl-7_85_0","curl-7_86_0","curl-7_87_0","curl-7_88_0","curl-7_88_1","curl-7_9_1","curl-7_9_2","curl-7_9_3","curl-7_9_3-pre1","curl-7_9_3-pre2","curl-7_9_3-pre3","curl-7_9_4","curl-7_9_5","curl-7_9_5-pre2","curl-7_9_5-pre4","curl-7_9_6","curl-7_9_7","curl-7_9_7-pre2","curl-7_9_8","curl-8_0_0","curl-8_0_1","curl-8_1_0","curl-8_1_1","curl-8_1_2","curl-8_2_0","curl-8_2_1","curl-8_3_0","curl-8_4_0"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-06a8ff72","signature_version":"v1","target":{"file":"lib/multi.c"},"digest":{"line_hashes":["263307682094500820290205177423064176866","321718229171705863456626913355012470508","183922927962438405201272844812329222263","15642842634395933921339914590773403229","25867451713061925981848695884337605847","149601294860883865403859404865289555963","90575944529110310116388777334791200415","301226691388550282457399043369151875135","112792544375522825767283206488529333659","317124317695468820147332529450104172442","279626610508633134674331854300499758549","319545292786741790628961548794621781780","307685309620836379624187236229132359918","195115621112340359530823265587072156773","86668430276747001255667977899716113166","161111405514161800165013528315216005059","308170577378865601343955254141018539084","55372857224031237829752412793271708872","263575754450363960617923052849304075584","307457786620768197988069311874095207694","296121126154374182804893858116505298639","31704939749513917889825480403850454919"],"threshold":0.9},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-14a7aeab","signature_version":"v1","target":{"file":"lib/cf-socket.c","function":"do_connect"},"digest":{"function_hash":"237932710610101955861263443630007038111","length":1548},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-281b1716","signature_version":"v1","target":{"file":"include/curl/system.h"},"digest":{"line_hashes":["141726004083826150297332644201013428892","160647893720381844090636055379291702551","240953266059513025688119487073249743594","302718822538118768931272267312169681587","149994933651253049576095808706198786268","226147444197141429045870830298675061810","302065076745837940529980562636199223874","181669538011728751988471984701666527523","123253115895660554021920887213024950321"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-2af65ebb","signature_version":"v1","target":{"file":"lib/curl_setup.h"},"digest":{"line_hashes":["307735637131859088753486435402700768429","222600090078334172569991744031124722228","179487069789813720997021675371315695321","4937046583110787227061258358080850299","320072073212594975547501307715293178599","264011557248959870590358919970016903139","130562250241525122084108257420367296282","315161302301649832689986964069750367261","128603871237598613658944523807397420973","250384121785797532442311899323117199103","205892900842283828890987232435233030718"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-7a7fd1e2","signature_version":"v1","target":{"file":"lib/curl_setup_once.h"},"digest":{"line_hashes":["34750992693478958138728471905003357503","115758682526657326067298833939451531429","290856872518332235961350696452127581891","306786620289776567412149226396400622376","182056150930946379449503049477305959248","97827629699958890605235526388417122559","133817841928160750322675472808696167974","338327552553423096513860524432564311595","172286668487196833960212922173784271070","73018212311488028011446883137514793985","110320422816145049986089039189992890750","142088825614697222316323778460690175547","232735515667816916975064481253089564193"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-8baa426c","signature_version":"v1","target":{"file":"include/curl/multi.h"},"digest":{"line_hashes":["62754282639999331335000166695586488252","228452506958689227802272708420864505505","196619381641102575949591595563608340774","11983107166569350083664738511274853447","175131023041666167614745485887557216223","160055108580799060234011127926974860446"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-91ca3900","signature_version":"v1","target":{"file":"lib/select.h"},"digest":{"line_hashes":["304554834165557774769799825694420316083","281772446236800063228827609672495531920","250109136465138082415094790109759272464","197617959229130573142022025500165098341"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-950e8fbe","signature_version":"v1","target":{"file":"lib/urldata.h"},"digest":{"line_hashes":["47350584164390638421657483516748125576","287071698124826862101979251407511979009"],"threshold":0.9},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-998e66d9","signature_version":"v1","target":{"file":"lib/multi.c","function":"curl_multi_fdset"},"digest":{"function_hash":"66321930300479189972374503815584433915","length":914},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-b2b6cb3e","signature_version":"v1","target":{"file":"lib/select.c","function":"Curl_poll"},"digest":{"function_hash":"284512034176689032879040861674708683206","length":2825},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-b7cb0af4","signature_version":"v1","target":{"file":"lib/cf-socket.c","function":"cf_udp_setup_quic"},"digest":{"function_hash":"19027098081999735910308636630429926416","length":1102},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-c29452a9","signature_version":"v1","target":{"file":"include/curl/curl.h"},"digest":{"line_hashes":["207164338839129032286190807413230553404","110800041465413858002998465309868537244","158971987049034126157440325195879910966","290227461053827327977795203998366579232","93380518440927338398538532335379032600","107432081930361215873509603079111784529","3557087170121162165376004596779947368","307018461205702085166035968197514031647","326434330372778381455971433549013750755","222198904576951632569822019657687148114","1386329855968792161579682574448578975","27658310193856675229012682550898543393","254483175568159826349769845652537424503","246533398879253069578800611190422467480","265224261304466812435501459670246274746","210933364649422984267134596391839645555","260669533129735114514249853191743244519","1912251460538077137534153122190231679","106178053316947079933453264927112268374","59913501235530591230019607996531137661"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-c9b76822","signature_version":"v1","target":{"file":"lib/cf-socket.c"},"digest":{"line_hashes":["220074972677793547290747110446770772576","66031900372723219629836731746148972612","312716891063402113424827744485250273819","17544199523327820265248751243911025329","335070153882701649423664679225194874355","55436859196332971601553888240965905274","314837436556362162251332755268461206736","309822636945502852576783052225779459737","326682156759229290221136827359661639075","274013222619156790151736259616116499153","187833106141913108568530940328944776245","197746072329483712745897486632008082764","179556176391494941716007323578623249647","305605486648912476207012264067709919670","105264943041924824595511438151665801140","233778672060590392804035088471773401612","8422957112064664134430825665143164970","101655295961987761236318461813492947594","73026192955256478826951299288771222359","133515567552773311824660282108153358037","258767728415419144291522362724874047127","53204677260066646438234355935290602602","225929182268067833783586811077430838873","222360808511488025993438359797256515499","278758232465238060637923927728390425175","288286343543078881101592142605282242226","79139975242817955679986054332661480130","299513414300679973830017679445953495907","240769300295213700950288339878953323046","55594460690351702186356644024954906856","168644947394850176880435644451030803704","156600165616506637376317435300798725277","8919742447551626828806765369777970354","309449063929796213417044081986456517472","211266344815861947442753329655017077530","330914069272294607151070430812019470618","326830677823708718402743360223587310014","219628932377280284870139597191788693261","187151379962662113838391467313531988979","177816018658834231425220591985088039056","25911547816817436824064930400963345268","280482816921026916075921405639945586056","22706441630526509385331875698304773900","248440073528025239321637618682570968696","265356618017825649200544057563265609945","42927893770695984053048238911275569437","2933204812893395874188980572629835360","255512171513285227308104952687922412774","180077118391504653466513680531480925486","264696968840768668397977245697462030077","154993782941586243324396997503241755474","212578670419504022476666097053866672481","200468089342866594257187631609437095824","234120107643081183937309990602541693016","31704054757304986908530755890901696214","110014335772212182654132576893017648586","118815020189068712614390093753614393553","147721076804823186606937610916537009395","338031355604672940535887616998336698581","101447203547269136823721824983559427722","278790734838647616766240423204645195647","273056597826508444735119116819015163482","82724965730534817878487561941586519975","55511529646463571987561327017498144373","22511304144055707562573102005941878359","163990967092738201129898722761730965107","263955449179554940716292242539988866815","180077118391504653466513680531480925486","71140973139491917945127605123450810029","132572672206444265120250688296423795091","109886284674999430843698252496361998610","1535172347272136263013739328916883143","256253032883239984156927561804073989440","201345332710770985400564728851521230116","232513699147668249858426644005765579436","31029300778149335353015006165941299776","168723601361145397221247516492721937332","326822084859014883324325148067480757513","208275492348268358606658170382260747103","94693287535032119579076808938942970362","76270991698822047309210497463886347508","306160942115905947493589648575761732489"],"threshold":0.9},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-cc7ce556","signature_version":"v1","target":{"file":"lib/multi.c","function":"hash_fd"},"digest":{"function_hash":"320969236782604712524596425284645515554","length":152},"deprecated":false},{"signature_type":"Function","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-d8c958bc","signature_version":"v1","target":{"file":"lib/select.c","function":"our_select"},"digest":{"function_hash":"29754786734616033181624100017028652817","length":638},"deprecated":false},{"signature_type":"Line","source":"https://github.com/curl/curl/commit/172e54cda18412da73fd8eb4e444e8a5b371ca59","id":"CVE-2023-38546-d95106a9","signature_version":"v1","target":{"file":"lib/select.c"},"digest":{"line_hashes":["94987943450660365199476259403272724472","63826320319478012736021848003389135928","98114649084200364890900141726030587457","261328897265120463816763953917527070657","201272240346967993903171794326619885600","247894214294328485543557655792339115328","327421313438836471336733987308075972510","236498998132103791523987478211436378664","52830971657421184919296326219395422929","162983994493229524312211970923488891461","324393097983845921292331744274156452152","130050690799897577225639043169309503660","258525914700916529121510203257258767756","139291323417737679499741606998312111636","196363911523754901014083072228726295671","161139715035920660390124432997418909444"],"threshold":0.9},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38546.json","vanir_signatures_modified":"2026-04-16T08:42:39Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}