CVE-2023-46218: 
MySQL vulnerability analysis and mitigation

CVE-2023-46218 is a security vulnerability discovered in curl versions 7.46.0 through 8.4.0. The flaw allows a malicious HTTP server to set "super cookies" that can be passed back to more origins than what is otherwise allowed or possible. This vulnerability was discovered on October 16, 2023, and was publicly disclosed on December 6, 2023 (Curl Advisory).

The vulnerability exploits a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example, a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows a site to set cookies that would get sent to different and unrelated sites and domains, potentially leading to disclosure of sensitive information or addition or modification of data (NetApp Advisory).

The vulnerability has been fixed in curl version 8.5.0, where the code now converts both strings to lowercase before checks. Users are recommended to upgrade to this version or apply the available patches. For systems that cannot be immediately upgraded, no alternative workarounds are currently available (Curl Advisory).