CVE-2022-30115
Published on: Not Yet Published
Last Modified on: 06/22/2022 01:47:00 PM UTC
Certain versions of Curl from Haxx contain the following vulnerability:
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
- CVE-2022-30115 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 4.3 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | LOW | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | LOW | NONE | NONE |
CVSS2 Score: 4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | SINGLE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
HackerOne | hackerone.com text/html |
![]() |
Related QID Numbers
- 282696 Fedora Security Update for curl (FEDORA-2022-d15a736748)
- 690868 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)
- 902162 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882)
- 902164 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Haxx | Curl | All | All | All | All |
Operating System | Netapp | Hci Bootstrap Os | - | All | All | All |
Hardware | Netapp | Hci Compute Node | - | All | All | All |
Application | Netapp | Solidfire Enterprise Sds Hci Storage Node | - | All | All | All |
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:
- cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*:
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
cURL に HSTS を迂回される問題 (CVE-2022-30115) [42173] sid.softek.jp/content/show/4… #SIDfm #脆弱性情報 | 2022-05-12 08:00:11 |
![]() |
[email protected] #Vulnerability of cURL: no chiffrement via HSTS. vigilance.fr/vulnerability/… Identifiers: #CVE-2022-30115.… twitter.com/i/web/status/1… | 2022-05-13 11:09:04 |
![]() |
cve.report/CVE-2022-30115 Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an in… twitter.com/i/web/status/1… | 2022-06-02 16:39:18 |
![]() |
already curl-7.83.0 is vulnerable: | 2022-05-13 21:52:27 |