CVE-2022-27781
Published on: Not Yet Published
Last Modified on: 06/13/2022 06:38:00 PM UTC
Certain versions of Curl from Haxx contain the following vulnerability:
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
- CVE-2022-27781 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | NONE | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
Related QID Numbers
- 198780 Ubuntu Security Notification for curl Vulnerabilities (USN-5412-1)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 752149 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1733-1)
- 752162 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1805-1)
- 752185 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1870-1)
- 902161 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9881)
- 902165 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9890)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Haxx | Curl | All | All | All | All |
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
cURL の証明書の処理にサービスを妨害される問題 (CVE-2022-27781) [42171] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:08 |
![]() |
[email protected] #Vulnérabilité de cURL : surcharge via CERTINFO. vigilance.fr/vulnerabilite/… Références : #CVE-2022-27781.… twitter.com/i/web/status/1… | 2022-05-13 09:09:03 |
![]() |
[email protected] #Vulnerability of cURL: overload via CERTINFO. vigilance.fr/vulnerability/… Identifiers: #CVE-2022-27781.… twitter.com/i/web/status/1… | 2022-05-13 09:09:04 |
![]() |
HackerOne Bug Bounty Disclosure: cve-2022-27781:-certinfo-never-ending-busy-loopbysybr - redpacketsecurity.com/hackerone-bugb… | 2022-05-16 17:01:39 |
![]() |
cve.report/CVE-2022-27781 libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to… twitter.com/i/web/status/1… | 2022-06-02 16:36:22 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |