Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-27782

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Published

2022-06-02T14:15:44.663

Last Modified

2024-11-21T06:56:10.790

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-840
Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	haxx	curl	< 7.83.1	Yes
Operating System	debian	debian_linux	10.0	Yes
Operating System	debian	debian_linux	11.0	Yes
Application	splunk	universal_forwarder	< 8.2.12	Yes
Application	splunk	universal_forwarder	< 9.0.6	Yes
Application	splunk	universal_forwarder	9.1.0	Yes

References

http://www.openwall.com/lists/oss-security/2023/03/20/6 Mailing List ([email protected])
https://hackerone.com/reports/1555796 Exploit, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202212-01 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220609-0009/ Third Party Advisory ([email protected])
https://www.debian.org/security/2022/dsa-5197 Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2023/03/20/6 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1555796 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202212-01 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220609-0009/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5197 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)