CVE-2022-30115

CVE	CVE-2022-30115
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-06-02 14:15:00 UTC
Updated	2024-03-27 15:01:00 UTC
Description	Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and not using thetrailing dot in the URL.

Problem Types: CWE-319

Type	Vendor	Product	Version	Update	Edition	Language
Application	Haxx	Curl	All	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Operating System	Netapp	Hci Bootstrap Os	-	All	All	All
Hardware	Netapp	Hci Compute Node	-	All	All	All
Application	Netapp	Solidfire Enterprise Sds Hci Storage Node	-	All	All	All
Application	Netapp	Solidfire Hci Management Node	-	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All
Application	Splunk	Universal Forwarder	9.1.0	All	All	All

Reference	Source	Link	Tags
oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN	MLIST	www.openwall.com
June 2022 Libcurl Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	GENTOO	security.gentoo.org
HackerOne	MISC	hackerone.com
oss-security - [SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl)	MLIST	www.openwall.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

184818 Debian Security Update for curl (CVE-2022-30115)
282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
354341 Amazon Linux Security Advisory for curl : ALAS2022-2022-065
354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502213 Alpine Linux Security Update for curl
503890 Alpine Linux Security Update for curl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
902162 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882)
902164 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891)
902384 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891-1)
903772 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882-1)