CVE-2022-32205

Summary

CVE	CVE-2022-32205
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-07 13:15:00 UTC
Updated	2024-03-27 15:01:00 UTC
Description	A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Haxx	Curl	All	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Element Software	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Netapp	Hci Management Node	-	All	All	All
Application	Netapp	Solidfire	-	All	All	All
Hardware	Siemens	Scalance Sc622-2c	-	All	All	All
Operating System	Siemens	Scalance Sc622-2c Firmware	All	All	All	All
Hardware	Siemens	Scalance Sc626-2c	-	All	All	All
Operating System	Siemens	Scalance Sc626-2c Firmware	All	All	All	All
Hardware	Siemens	Scalance Sc632-2c	-	All	All	All
Operating System	Siemens	Scalance Sc632-2c Firmware	All	All	All	All
Hardware	Siemens	Scalance Sc636-2c	-	All	All	All
Operating System	Siemens	Scalance Sc636-2c Firmware	All	All	All	All
Hardware	Siemens	Scalance Sc642-2c	-	All	All	All
Operating System	Siemens	Scalance Sc642-2c Firmware	All	All	All	All
Hardware	Siemens	Scalance Sc646-2c	-	All	All	All
Operating System	Siemens	Scalance Sc646-2c Firmware	All	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All
Application	Splunk	Universal Forwarder	9.1.0	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13	FULLDISC	seclists.org
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	GENTOO	security.gentoo.org
HackerOne	MISC	hackerone.com
About the security content of macOS Ventura 13 - Apple Support	CONFIRM	support.apple.com
[SECURITY] Fedora 35 Update: curl-7.79.1-5.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf	CONFIRM	cert-portal.siemens.com
[SECURITY] Fedora 35 Update: curl-7.79.1-5.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
July 2022 Libcurl Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Full Disclosure: APPLE-SA-2022-10-24-2 macOS Ventura 13	FULLDISC	seclists.org
Debian -- Security Information -- DSA-5197-1 curl	DEBIAN	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

180909 Debian Security Update for curl (DSA 5197-1)
184770 Debian Security Update for curl (CVE-2022-32205)
198842 Ubuntu Security Notification for curl Vulnerabilities (USN-5495-1)
282881 Fedora Security Update for curl (FEDORA-2022-8bd3bf5b40)
282944 Fedora Security Update for curl (FEDORA-2022-1b3d7f6973)
354105 Amazon Linux Security Advisory for curl : ALAS2-2022-1875
354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
354377 Amazon Linux Security Advisory for curl : ALAS2022-2022-145
354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502407 Alpine Linux Security Update for curl
502408 Alpine Linux Security Update for curl
502409 Alpine Linux Security Update for curl
502715 Alpine Linux Security Update for curl
505611 Alpine Linux Security Update for curl
591257 Siemens SCALANCE SC-600 Family Multiple Vulnerabilities (ICSA-22-349-18, SSA-333517)
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
672161 EulerOS Security Update for curl (EulerOS-SA-2022-2426)
672168 EulerOS Security Update for curl (EulerOS-SA-2022-2413)
690887 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (ae5722a6-f5f0-11ec-856e-d4c9ef517024)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
752314 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2305-1)
902457 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10109)
902474 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10097)
902552 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10113)
902628 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10101-1)
903778 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10113-1)