CVE-2023-28322: 
TensorFlow vulnerability analysis and mitigation

An information disclosure vulnerability exists in curl versions prior to 8.1.0 when performing HTTP(S) transfers. The vulnerability, identified as CVE-2023-28322, was discovered on April 19, 2023, and publicly disclosed on May 17, 2023. This flaw affects libcurl versions from 7.7 through 8.0.1 (Curl Advisory).

The vulnerability occurs when a handle is reused and changed from a PUT to a POST request. In such cases, libcurl might erroneously use the read callback (CURLOPTREADFUNCTION) to ask for data to send, even when the CURLOPTPOSTFIELDS option has been set. This issue is similar to CVE-2022-32221, with the difference that setting CURLOPTPOST for the second transfer avoids the problem, while only setting CURLOPTPOSTFIELDS after the PUT still causes the second transfer to become a PUT and use the callback (Curl Advisory).

The vulnerability may cause applications to misbehave and either send incorrect data or potentially use memory after it has been freed. While the actual code that could send wrong data or cause use-after-free conditions is not present in libcurl itself, these scenarios might occur due to libcurl unexpectedly calling the read callback when it shouldn't (Curl Advisory).

There are three recommended approaches to mitigate this vulnerability: 1) Upgrade curl to version 8.1.0 or later, 2) Apply the patch to your local version, or 3) Avoid mixing the use of read callback and CURLOPT_POSTFIELDS string on a reused easy handle. The fix involves improving the logic to avoid having two separate variable fields holding information about HTTP method and behavior (Curl Advisory).