CVE-2022-35260

CVE	CVE-2022-35260
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-12-05 22:15:00 UTC
Updated	2024-03-27 15:00:00 UTC
Description	curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Problem Types: CWE-787

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Application	Haxx	Curl	All	All	All	All
Application	Netapp	Clustered Data Ontap	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Splunk	Universal Forwarder	All	All	All	All
Application	Splunk	Universal Forwarder	9.1.0	All	All	All

Reference	Source	Link	Tags
Full Disclosure: APPLE-SA-2023-01-23-4 macOS Ventura 13.2	FULLDISC	seclists.org
Full Disclosure: APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3	FULLDISC	seclists.org
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	GENTOO	security.gentoo.org
HackerOne	MISC	hackerone.com
December 2022 cURL/libcURL Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
About the security content of macOS Monterey 12.6.3 - Apple Support	CONFIRM	support.apple.com
About the security content of macOS Ventura 13.2 - Apple Support	CONFIRM	support.apple.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

184350 Debian Security Update for curl (CVE-2022-35260)
199008 Ubuntu Security Notification for curl Vulnerabilities (USN-5702-1)
283261 Fedora Security Update for curl (FEDORA-2022-01ffde372c)
283302 Fedora Security Update for curl (FEDORA-2022-39688a779d)
283449 Fedora Security Update for curl (FEDORA-2022-e9d65906c4)
354115 Amazon Linux Security Advisory for curl : ALAS2-2022-1882
354289 Amazon Linux Security Advisory for curl : ALAS2022-2022-246
354553 Amazon Linux Security Advisory for curl : ALAS-2022-246
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
377927 Apple macOS Ventura 13.2 Not Installed (HT213605)
377928 Apple macOS Monterey 12.6.3 Not Installed (HT213604)
378090 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Denial of Service (DoS) Vulnerability (NTAP-20230110-0006)
378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502717 Alpine Linux Security Update for curl
505613 Alpine Linux Security Update for curl
691009 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (0f99a30c-7b4b-11ed-9168-080027f5fec9)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)