{
  "threat_severity" : "Moderate",
  "public_date" : "2023-12-06T07:00:00Z",
  "bugzilla" : {
    "description" : "curl: excessively long file name may lead to unknown HSTS status",
    "id" : "2252034",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2252034"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-311",
  "details" : [ "When saving HSTS data to an excessively long file name, curl could end up\nremoving all contents, making subsequent requests using that file unaware of\nthe HSTS status they should otherwise use.", "A security bypass flaw was found in Curl, which can be triggered by saving HSTS data to an excessively long file name. This issue occurs due to an error in handling HSTS long file names, leading to the removal of all contents from the file during the save process, and may allow a remote attacker to send a specially crafted request to use files without awareness of the HSTS status and enable a Man-in-the-Middle (MitM) attack." ],
  "acknowledgement" : "Red Hat would like to thank Daniel Stenberg (patched) and Maksymilian Arciemowicz (reported) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-curl-0:8.6.0-3.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1316",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-curl-0:8.6.0-3.el7jbcs"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2024-03-18T00:00:00Z",
    "advisory" : "RHSA-2024:1317",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-curl"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "puppet-agent",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-46219\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46219\nhttps://curl.se/docs/CVE-2023-46219.html" ],
  "name" : "CVE-2023-46219",
  "csaw" : false
}