curl Out-of-Bounds Read Vulnerability in Cookie Path Handling

A vulnerability exists in curl's cookie management that can lead to an out-of-bounds read. This issue arises when a secure cookie set over HTTPS is inadvertently overwritten by a non-secure cookie from the same domain via HTTP. The flaw is caused by incorrect path comparison logic, which allows the clear-text cookie to replace the secure one, contrary to expected behavior. The vulnerability has been introduced in curl version 7.31.0 and exists in all versions up to and including 8.15.0.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to a crash or potentially allow a clear-text site to override the contents of a secure cookie, depending on the memory state.

Reproduction

The vulnerability can be reproduced by first sending a request to an HTTPS server that sets a secure cookie with a path of '/'. Then, a request is made to an HTTP server on the same domain, which can overwrite the secure cookie with a non-secure one. This process takes advantage of a flaw in how curl compares cookie paths, leading to an out-of-bounds read.

Remediation

Users are advised to upgrade to curl version 8.16.0, where this vulnerability has been fixed.