CVE-2023-38546: 
TensorFlow vulnerability analysis and mitigation

A vulnerability in libcurl (CVE-2023-38546) was discovered that allows an attacker to insert cookies at will into a running program using libcurl, if specific conditions are met. The vulnerability affects libcurl versions 7.9.1 through 8.3.0 and was discovered on September 14, 2023, with a fix released in version 8.4.0 on October 11, 2023 (Curl Advisory).

The vulnerability occurs in the cookie handling mechanism when duplicating easy handles. When curleasyduphandle() is called on a handle with cookies enabled, the cookie-enable state is cloned but without cloning the actual cookies. If the source handle did not read cookies from a disk file, the cloned handle would store the filename as 'none'. Subsequent use of the cloned handle would then attempt to load cookies from a file named 'none' in the current directory, if such a file exists and contains valid cookie data (Curl Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 3.7 LOW (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability could allow an attacker to inject cookies into a running program using libcurl, potentially affecting the application's behavior or security. However, the impact is considered low because the flaw requires specific conditions to be met, and the likelihood of an attacker being able to take advantage of it is low (Curl Advisory).

Three mitigation options are available: 1) Upgrade curl to version 8.4.0 or later, which no longer stores the filename in the cookie struct, 2) Apply the patch to the local version, or 3) Call curleasysetopt(clonedcurl, CURLOPTCOOKIELIST, "ALL"); right after every curleasyduphandle(); call (Curl Advisory).

The vulnerability has been acknowledged and patched by major technology companies including Apple, who included fixes in their macOS, iOS, and iPadOS updates (Apple Support, Apple Support, Apple Support). Fedora also released updates to address this vulnerability in their systems (Fedora Update).