ALAS2-2024-2531 --- curlID: oval:org.secpod.oval:def:1702254 | Date: (C)2024-05-09 (M)2024-05-09 |
Class: PATCH | Family: unix |
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List . For example a cookie could be set with domain=co.UK when the URL used a lowercase hostname curl.co.uk, even though co.uk is listed as a PSL domain