CVE-2023-46219: 
MySQL vulnerability analysis and mitigation

CVE-2023-46219 is a vulnerability discovered in curl versions 7.84.0 to 8.4.0, reported on November 2, 2023. When saving HSTS (HTTP Strict Transport Security) data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use (Curl Advisory).

The vulnerability occurs due to the save function appending a suffix to the file name, creating a temporary file, and then renaming it to the final name. When the filename length was close to the limit of what is allowed on the file system, adding the extension would make it too long and trigger this bug. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N and is classified as CWE-311: Missing Encryption of Sensitive Data (NVD, Curl Advisory).

The successful exploitation of this vulnerability could lead to the addition or modification of data. When triggered, the bug causes the HSTS data file to be cleared, which means subsequent requests would be unaware of the HSTS status they should use, potentially affecting the security of HTTP connections (Curl Advisory).

The vulnerability was fixed in curl version 8.5.0, released on December 6, 2023. The fix involves making the temporary filename using a pure random sequence of letters instead of being based on the original filename. Users are recommended to upgrade to version 8.5.0 or later. If upgrading is not possible, users can alternatively choose not to use HSTS (Curl Advisory).

Multiple vendors and distributions have released security advisories and patches for this vulnerability, including Debian, Fedora, and NetApp. Debian released security advisory DSA-5587-1 to address this issue in their distributions (Debian Advisory, Fedora Update).