CVE-2022-27782
Published on: Not Yet Published
Last Modified on: 06/10/2022 06:33:00 PM UTC
Certain versions of Curl from Haxx contain the following vulnerability:
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
- CVE-2022-27782 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.5 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | HIGH | NONE |
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
Related QID Numbers
- 198780 Ubuntu Security Notification for curl Vulnerabilities (USN-5412-1)
- 282695 Fedora Security Update for curl (FEDORA-2022-3d8f00cde2)
- 282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
- 282754 Fedora Security Update for curl (FEDORA-2022-8277bef335)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 752149 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1733-1)
- 752162 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1805-1)
- 752185 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:1870-1)
- 902152 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9868)
- 902157 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9877)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Haxx | Curl | All | All | All | All |
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
@bagder It looks like curl.se/docs/CVE-2022-… yields a 404, while listed on curl.se/docs/security.… | 2022-05-11 07:07:04 |
![]() |
cURL に TLS および SSH 接続を不正に再利用する問題 (CVE-2022-27782) [42172] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:09 |
![]() |
cURL libcurl security bypass | CVE-2022-27782 - redpacketsecurity.com/curl-libcurl-s… | 2022-05-12 09:01:18 |
![]() |
Internet Bug Bounty: CVE-2022-27782: TLS and SSH connection too eager reuse replug.link/270f5440 | 2022-05-16 01:52:10 |
![]() |
cve.report/CVE-2022-27782 libcurl would reuse a previously created connection even when a TLS or SSHrelated option h… twitter.com/i/web/status/1… | 2022-06-02 16:36:40 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |