Early Access — Mondoo Vulnerability Intelligence is currently in preview.
Package updates are available for Amazon Linux 2023 that fix the following vulnerabilities: CVE-2025-9086: Out of bounds read for cookie path
NOTE: https://curl.se/docs/CVE-2025-9086.html NOTE: Introduced with: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d (curl-7_31_0) NOTE: Fixed by: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300 (rc-8_16_0-1)
CVE-2025-10966: curl's code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms.
This prevents curl from detecting MITM attackers and more.
CVE-2025-10148: predictable WebSocket mask
NOTE: https://curl.se/docs/CVE-2025-10148.html NOTE: Fixed by: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa7fa806fa0f2 (curl-8_16_0)
CVE-2025-0167:
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
CVE-2024-11053:
When asked to both use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.
8.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.18.15.0-4.amzn2023.0.1