CVE-2022-30115
Published on: Not Yet Published
Last Modified on: 01/05/2023 05:50:00 PM UTC
Certain versions of Curl from Haxx contain the following vulnerability:
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
- CVE-2022-30115 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 4.3 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | LOW | NONE | NONE |
CVSS2 Score: 4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN | www.openwall.com text/html |
![]() |
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security | security.gentoo.org text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
oss-security - [SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl) | www.openwall.com text/html |
![]() |
Related QID Numbers
- 282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
- 354341 Amazon Linux Security Advisory for curl : ALAS2022-2022-065
- 354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
- 355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
- 502213 Alpine Linux Security Update for curl
- 591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
- 902162 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882)
- 902164 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891)
- 902384 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891-1)
- 903772 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882-1)
Exploit/POC from Github
This repository contains a collection of data files on known Common Vulnerabilities and Exposures (CVEs). Each file i…
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Haxx | Curl | All | All | All | All |
Application | Netapp | Clustered Data Ontap | - | All | All | All |
Hardware
| Netapp | H300s | - | All | All | All |
Operating System | Netapp | H300s Firmware | - | All | All | All |
Hardware
| Netapp | H410s | - | All | All | All |
Operating System | Netapp | H410s Firmware | - | All | All | All |
Hardware
| Netapp | H500s | - | All | All | All |
Operating System | Netapp | H500s Firmware | - | All | All | All |
Hardware
| Netapp | H700s | - | All | All | All |
Operating System | Netapp | H700s Firmware | - | All | All | All |
Operating System | Netapp | Hci Bootstrap Os | - | All | All | All |
Hardware
| Netapp | Hci Compute Node | - | All | All | All |
Application | Netapp | Solidfire Enterprise Sds Hci Storage Node | - | All | All | All |
Application | Netapp | Solidfire Hci Management Node | - | All | All | All |
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
cURL に HSTS を迂回される問題 (CVE-2022-30115) [42173] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:11 |
![]() |
[email protected] #Vulnerability of cURL: no chiffrement via HSTS. vigilance.fr/vulnerability/… Identifiers: #CVE-2022-30115.… twitter.com/i/web/status/1… | 2022-05-13 11:09:04 |
![]() |
cve.report/CVE-2022-30115 Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an in… twitter.com/i/web/status/1… | 2022-06-02 16:39:18 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |
![]() |
Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) | 2022-08-25 07:47:42 |