CVE-2023-32001: Time-of-check Time-of-use (TOCTOU) Race Condition

July 26, 2023 (updated August 3, 2023)

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called stat() followed by fopen() in a way that made it vulnerable to a TOCTOU race condition problem.

By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to.

References

hackerone.com/reports/2039870
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BGJ7POX4ATGERTSBFJPW2EQH4Z65PSZJ/
nvd.nist.gov/vuln/detail/CVE-2023-32001
www.debian.org/security/2023/dsa-5460

Detect and mitigate CVE-2023-32001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →