CVE-2022-32207

Summary

CVE	CVE-2022-32207
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-07 13:15:00 UTC
Updated	2024-03-27 15:00:00 UTC
Description	When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended.

Risk And Classification

Problem Types: CWE-276

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Haxx	Curl	All	All	All	All
Operating System	Netapp	Bootstrap Os	-	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Application	Netapp	Element Software	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Hardware	Netapp	Hci Compute Node	-	All	All	All
Application	Netapp	Hci Management Node	-	All	All	All
Application	Netapp	Solidfire	-	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All
Application	Splunk	Universal Forwarder	9.1.0	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13	FULLDISC	seclists.org
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	GENTOO	security.gentoo.org
About the security content of macOS Ventura 13 - Apple Support	CONFIRM	support.apple.com
[SECURITY] Fedora 35 Update: curl-7.79.1-5.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
HackerOne	MISC	hackerone.com
[SECURITY] Fedora 35 Update: curl-7.79.1-5.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
July 2022 Libcurl Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Full Disclosure: APPLE-SA-2022-10-24-2 macOS Ventura 13	FULLDISC	seclists.org
Debian -- Security Information -- DSA-5197-1 curl	DEBIAN	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160064 Oracle Enterprise Linux Security Update for curl (ELSA-2022-6157)
180909 Debian Security Update for curl (DSA 5197-1)
184848 Debian Security Update for curl (CVE-2022-32207)
198842 Ubuntu Security Notification for curl Vulnerabilities (USN-5495-1)
240634 Red Hat Update for curl (RHSA-2022:6157)
240996 Red Hat Update for JBoss Core Services (RHSA-2022:8840)
282881 Fedora Security Update for curl (FEDORA-2022-8bd3bf5b40)
282944 Fedora Security Update for curl (FEDORA-2022-1b3d7f6973)
354105 Amazon Linux Security Advisory for curl : ALAS2-2022-1875
354292 Amazon Linux Security Advisory for curl : ALAS2022-2022-206
354377 Amazon Linux Security Advisory for curl : ALAS2022-2022-145
354587 Amazon Linux Security Advisory for curl : ALAS-2022-206
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502407 Alpine Linux Security Update for curl
502408 Alpine Linux Security Update for curl
502409 Alpine Linux Security Update for curl
502715 Alpine Linux Security Update for curl
505611 Alpine Linux Security Update for curl
591406 Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)
672121 EulerOS Security Update for curl (EulerOS-SA-2022-2310)
672161 EulerOS Security Update for curl (EulerOS-SA-2022-2426)
672168 EulerOS Security Update for curl (EulerOS-SA-2022-2413)
690887 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (ae5722a6-f5f0-11ec-856e-d4c9ef517024)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
752314 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:2305-1)
902462 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10111)
902473 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10099)
902512 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10115)
902627 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10103-1)
903786 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (10115-1)
904816 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12314)
904861 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (12436)
905033 Common Base Linux Mariner (CBL-Mariner) Security Update for cmake (12474)
905166 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (12646)
940646 AlmaLinux Security Update for curl (ALSA-2022:6157)
960573 Rocky Linux Security Update for curl (RLSA-2022:6157)