PatchSiren cyber security CVE debrief

CVE-2023-46219 Fedoraproject CVE debrief

CVE-2023-46219 is a medium-severity curl issue published on 2023-12-12. According to the advisory summary, saving HSTS data to an excessively long file name can cause curl to remove all contents of that HSTS data file. If that happens, subsequent requests that rely on the file may no longer see the HSTS status they should have used.

Vendor: Fedoraproject
Product: CVE-2023-46219
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-12-12
Original CVE updated: 2026-05-12
Advisory published: 2023-12-12
Advisory updated: 2026-05-12

Who should care

Administrators and developers who use curl with HSTS storage enabled, especially in environments where curl writes HSTS data to files that may be influenced by long paths or long file names. Fedora 38 is explicitly listed as affected in the NVD CPE data, and curl versions from 7.84.0 up to but not including 8.5.0 are marked vulnerable.

Technical summary

NVD describes the issue as a file-handling problem in curl’s HSTS persistence path. When curl saves HSTS data to an excessively long file name, the HSTS file can end up emptied, which means later requests using that file may not apply the expected HSTS state. The NVD record maps the weakness to CWE-311 and lists the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Defensive priority

Medium. The issue is not rated as high or critical, but it can silently weaken HSTS enforcement by erasing persisted state. Prioritize remediation in systems that depend on curl for security-sensitive HTTPS upgrade behavior or that automate file-based HSTS storage.

Recommended defensive actions

Upgrade curl to a version that is not in the vulnerable range shown by NVD (7.84.0 through before 8.5.0).
Check distributions and packages that bundle curl, including Fedora 38, for vendor backports or fixed builds.
Review any automation that writes curl HSTS data to disk and ensure file and path lengths are constrained.
After updating, verify that HSTS persistence still behaves as expected in your deployment.
Track vendor advisories linked in the record, especially the curl advisory, for package-specific remediation guidance.

Evidence notes

This debrief is based only on the supplied CVE metadata and the linked official references listed in the record. The source description states that saving HSTS data to an excessively long file name can remove all contents of the HSTS file. NVD marks curl as affected from 7.84.0 up to before 8.5.0 and lists Fedora 38 as vulnerable via CPE criteria. The record also provides the curl vendor advisory, a HackerOne report, and downstream advisories from Fedora, NetApp, Debian, and Siemens as corroborating references.

Official resources

CVE-2023-46219 CVE record
CVE.org
CVE-2023-46219 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108
Source reference
0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

Publicly disclosed in the CVE record on 2023-12-12. The supplied metadata shows no KEV listing and no ransomware-campaign designation.