CVE-2022-27782
Published on: Not Yet Published
Last Modified on: 03/20/2023 09:15:00 AM UTC
Certain versions of Debian Linux from Debian contain the following vulnerability:
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
- CVE-2022-27782 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | HIGH | NONE |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security | security.gentoo.org text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
oss-security - [SECURITY ADVISORY] curl: CVE-2023-27538: SSH connection too eager reuse still | www.openwall.com text/html |
![]() |
Debian -- Security Information -- DSA-5197-1 curl | www.debian.org Depreciated Link text/html |
![]() |
[SECURITY] [DLA 3085-1] curl security update | lists.debian.org text/html |
![]() |
Related QID Numbers
- 159919 Oracle Enterprise Linux Security Update for curl (ELSA-2022-5313)
- 159933 Oracle Enterprise Linux Security Update for curl (ELSA-2022-5245)
- 180909 Debian Security Update for curl (DSA 5197-1)
- 180969 Debian Security Update for curl (DLA 3085-1)
- 181512 Debian Security Update for curl (DLA 3288-1)
- 198780 Ubuntu Security Notification for curl Vulnerabilities (USN-5412-1)
- 240502 Red Hat Update for curl (RHSA-2022:5245)
- 240504 Red Hat Update for curl (RHSA-2022:5313)
- 282695 Fedora Security Update for curl (FEDORA-2022-3d8f00cde2)
- 282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
- 282754 Fedora Security Update for curl (FEDORA-2022-8277bef335)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 353981 Amazon Linux Security Advisory for curl : ALAS2-2022-1808
- 354255 Amazon Linux Security Advisory for curl : ALAS-2022-1646
- 354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
- 354341 Amazon Linux Security Advisory for curl : ALAS2022-2022-065
- 354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
- 355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
- 377351 Alibaba Cloud Linux Security Update for curl (ALINUX3-SA-2022:0142)
- 377909 Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUJAN2023)
- 377911 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUJAN2023)
- 502213 Alpine Linux Security Update for curl
- 502407 Alpine Linux Security Update for curl
- 502408 Alpine Linux Security Update for curl
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 672028 EulerOS Security Update for curl (EulerOS-SA-2022-2238)
- 672030 EulerOS Security Update for curl (EulerOS-SA-2022-2251)
- 672064 EulerOS Security Update for curl (EulerOS-SA-2022-2217)
- 672121 EulerOS Security Update for curl (EulerOS-SA-2022-2310)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
- 752149 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1733-1)
- 752162 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1805-1)
- 752185 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1870-1)
- 752476 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2813-1)
- 752478 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2829-1)
- 902152 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9868)
- 902157 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9877)
- 902379 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9877-1)
- 903727 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9868-1)
- 940598 AlmaLinux Security Update for curl (ALSA-2022:5313)
- 960152 Rocky Linux Security Update for curl (RLSA-2022:5313)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Debian | Debian Linux | 10.0 | All | All | All |
Operating System | Debian | Debian Linux | 11.0 | All | All | All |
Application | Haxx | Curl | All | All | All | All |
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*:
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
@bagder It looks like curl.se/docs/CVE-2022-… yields a 404, while listed on curl.se/docs/security.… | 2022-05-11 07:07:04 |
![]() |
cURL に TLS および SSH 接続を不正に再利用する問題 (CVE-2022-27782) [42172] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:09 |
![]() |
cURL libcurl security bypass | CVE-2022-27782 - redpacketsecurity.com/curl-libcurl-s… | 2022-05-12 09:01:18 |
![]() |
Internet Bug Bounty: CVE-2022-27782: TLS and SSH connection too eager reuse replug.link/270f5440 | 2022-05-16 01:52:10 |
![]() |
cve.report/CVE-2022-27782 libcurl would reuse a previously created connection even when a TLS or SSHrelated option h… twitter.com/i/web/status/1… | 2022-06-02 16:36:40 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |
![]() |
DSM Version: 7.2-64561 | 2023-05-22 03:16:44 |