CVE-2023-23915: 
MySQL vulnerability analysis and mitigation

A cleartext transmission of sensitive information vulnerability (CVE-2023-23915) exists in curl versions 7.77.0 to 7.87.0. The vulnerability affects the HSTS (HTTP Strict Transport Security) functionality when multiple URLs are requested in parallel. The issue was discovered on December 21, 2022, and was fixed with the release of curl 7.88.0 on February 15, 2023 (Curl Advisory).

The vulnerability occurs when curl's HSTS cache saving behaves incorrectly during parallel URL requests. The HSTS cache file gets overwritten by the most recently completed transfer, causing subsequent HTTP-only transfers to the earlier hostname to not get upgraded properly to HTTPS. This flaw was introduced in commit 7385610d0c7 and was enabled by default from curl 7.77.0. The vulnerability has been assigned a CVSS score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NetApp Advisory).

When exploited, this vulnerability could lead to the disclosure of sensitive information and potential exposure of data through cleartext transmission. The HSTS protection mechanism fails to properly enforce HTTPS usage when multiple transfers are performed in parallel, potentially allowing attackers to intercept communications that should have been secured (Curl Advisory).

The primary mitigation is to upgrade curl to version 7.88.0 or later, which properly shares the HSTS state between transfers. If upgrading is not immediately possible, users can either apply the patch to their local version or specify all URLs with HTTPS:// instead of HTTP://. The fix ensures that each subsequent save stores a complete HSTS state (Curl Advisory).