CVE-2022-27781
Published on: Not Yet Published
Last Modified on: 01/05/2023 05:54:00 PM UTC
Certain versions of Debian Linux from Debian contain the following vulnerability:
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
- CVE-2022-27781 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | NONE | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security | security.gentoo.org text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
Debian -- Security Information -- DSA-5197-1 curl | www.debian.org Depreciated Link text/html |
![]() |
[SECURITY] [DLA 3085-1] curl security update | lists.debian.org text/html |
![]() |
Related QID Numbers
- 180909 Debian Security Update for curl (DSA 5197-1)
- 180969 Debian Security Update for curl (DLA 3085-1)
- 198780 Ubuntu Security Notification for curl Vulnerabilities (USN-5412-1)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 354255 Amazon Linux Security Advisory for curl : ALAS-2022-1646
- 354731 Amazon Linux Security Advisory for curl : ALAS2-2023-1924
- 502213 Alpine Linux Security Update for curl
- 502407 Alpine Linux Security Update for curl
- 502408 Alpine Linux Security Update for curl
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 672028 EulerOS Security Update for curl (EulerOS-SA-2022-2238)
- 672030 EulerOS Security Update for curl (EulerOS-SA-2022-2251)
- 672064 EulerOS Security Update for curl (EulerOS-SA-2022-2217)
- 672121 EulerOS Security Update for curl (EulerOS-SA-2022-2310)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
- 752149 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1733-1)
- 752162 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1805-1)
- 752185 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1870-1)
- 752476 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2813-1)
- 752478 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2829-1)
- 902161 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9881)
- 902165 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9890)
- 902396 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9890-1)
- 903718 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9881-1)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Debian | Debian Linux | 10.0 | All | All | All |
Operating System | Debian | Debian Linux | 11.0 | All | All | All |
Application | Haxx | Curl | All | All | All | All |
Application | Netapp | Clustered Data Ontap | - | All | All | All |
Hardware
| Netapp | H300s | - | All | All | All |
Operating System | Netapp | H300s Firmware | - | All | All | All |
Hardware
| Netapp | H410s | - | All | All | All |
Operating System | Netapp | H410s Firmware | - | All | All | All |
Hardware
| Netapp | H500s | - | All | All | All |
Operating System | Netapp | H500s Firmware | - | All | All | All |
Hardware
| Netapp | H700s | - | All | All | All |
Operating System | Netapp | H700s Firmware | - | All | All | All |
Operating System | Netapp | Hci Bootstrap Os | - | All | All | All |
Hardware
| Netapp | Hci Compute Node | - | All | All | All |
Hardware
| Netapp | Hci Compute Node | - | All | All | All |
Application | Netapp | Solidfire Enterprise Sds Hci Storage Node | - | All | All | All |
Application | Netapp | Solidfire Hci Management Node | - | All | All | All |
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
cURL の証明書の処理にサービスを妨害される問題 (CVE-2022-27781) [42171] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:08 |
![]() |
[email protected] #Vulnérabilité de cURL : surcharge via CERTINFO. vigilance.fr/vulnerabilite/… Références : #CVE-2022-27781.… twitter.com/i/web/status/1… | 2022-05-13 09:09:03 |
![]() |
[email protected] #Vulnerability of cURL: overload via CERTINFO. vigilance.fr/vulnerability/… Identifiers: #CVE-2022-27781.… twitter.com/i/web/status/1… | 2022-05-13 09:09:04 |
![]() |
HackerOne Bug Bounty Disclosure: cve-2022-27781:-certinfo-never-ending-busy-loopbysybr - redpacketsecurity.com/hackerone-bugb… | 2022-05-16 17:01:39 |
![]() |
cve.report/CVE-2022-27781 libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to… twitter.com/i/web/status/1… | 2022-06-02 16:36:22 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |
![]() |
DSM Version: 7.2-64561 | 2023-05-22 03:16:44 |
![]() |
ADM 4.2.2.RI61 ( 2023-06-07 ) Released | 2023-06-07 21:00:55 |
![]() |
DSM: Version: 7.2-64570 released! | 2023-06-08 08:08:47 |