CVE-2022-27780

CVE	CVE-2022-27780
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-06-02 14:15:00 UTC
Updated	2024-03-27 15:01:00 UTC
Description	The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.

Problem Types: CWE-918

Type	Vendor	Product	Version	Update	Edition	Language
Application	Haxx	Curl	All	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Operating System	Netapp	Hci Bootstrap Os	-	All	All	All
Hardware	Netapp	Hci Compute Node	-	All	All	All
Application	Netapp	Solidfire Enterprise Sds Hci Storage Node	-	All	All	All
Application	Netapp	Solidfire Hci Management Node	-	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All
Application	Splunk	Universal Forwarder	9.1.0	All	All	All

Reference	Source	Link	Tags
June 2022 Libcurl Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	GENTOO	security.gentoo.org
HackerOne	MISC	hackerone.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

183755 Debian Security Update for curl (CVE-2022-27780)
198780 Ubuntu Security Notification for curl Vulnerabilities (USN-5412-1)
282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
354341 Amazon Linux Security Advisory for curl : ALAS2022-2022-065
354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502213 Alpine Linux Security Update for curl
502408 Alpine Linux Security Update for curl
503890 Alpine Linux Security Update for curl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
902169 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9895)
902174 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9909)
902387 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9909-1)
903755 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9895-1)