CVE-2022-42916

Published on: Not Yet Published

Last Modified on: 03/28/2023 02:13:00 PM UTC

CVE-2022-42916

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Macos from Apple contain the following vulnerability:

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

CVE-2022-42916 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN	www.openwall.com text/html	MLIST [oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN
Full Disclosure: APPLE-SA-2023-01-23-4 macOS Ventura 13.2	seclists.org text/html	FULLDISC 20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2
Full Disclosure: APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3	seclists.org text/html	FULLDISC 20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3
curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security	security.gentoo.org text/html	GENTOO GLSA-202212-01
[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2022-01ffde372c
curl - HSTS bypass via IDN - CVE-2022-42916	curl.se text/html	MISC curl.se/docs/CVE-2022-42916.html
About the security content of macOS Monterey 12.6.3 - Apple Support	support.apple.com text/html	CONFIRM support.apple.com/kb/HT213604
[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2022-39688a779d
About the security content of macOS Ventura 13.2 - Apple Support	support.apple.com text/html	CONFIRM support.apple.com/kb/HT213605
October 2022 cURL/libcURL Vulnerabilities in NetApp Products \| NetApp Product Security	security.netapp.com text/html	CONFIRM security.netapp.com/advisory/ntap-20221209-0010/
[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists	lists.fedoraproject.org text/html	FEDORA FEDORA-2022-e9d65906c4

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

199008 Ubuntu Security Notification for curl Vulnerabilities (USN-5702-1)
240996 Red Hat Update for JBoss Core Services (RHSA-2022:8840)
283261 Fedora Security Update for curl (FEDORA-2022-01ffde372c)
283302 Fedora Security Update for curl (FEDORA-2022-39688a779d)
283449 Fedora Security Update for curl (FEDORA-2022-e9d65906c4)
354115 Amazon Linux Security Advisory for curl : ALAS2-2022-1882
354289 Amazon Linux Security Advisory for curl : ALAS2022-2022-246
354553 Amazon Linux Security Advisory for curl : ALAS-2022-246
355207 Amazon Linux Security Advisory for curl : ALAS2023-2023-083
377927 Apple macOS Ventura 13.2 Not Installed (HT213605)
377928 Apple macOS Monterey 12.6.3 Not Installed (HT213604)
378101 NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Denial of Service (DoS) Vulnerability (NTAP-20221209-0010)
378434 Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2023)
502573 Alpine Linux Security Update for curl
502575 Alpine Linux Security Update for curl
502717 Alpine Linux Security Update for curl
672494 EulerOS Security Update for curl (EulerOS-SA-2023-1005)
672512 EulerOS Security Update for curl (EulerOS-SA-2023-1030)
691009 Free Berkeley Software Distribution (FreeBSD) Security Update for curl (0f99a30c-7b4b-11ed-9168-080027f5fec9)
710693 Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)
752739 SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:3785-1)
904433 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11412)
904483 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11369)
904504 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11369-1)
904527 Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11412-1)

Exploit/POC from Github

This repository contains a collection of data files on known Common Vulnerabilities and Exposures (CVEs). Each file i…

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Apple	Macos	All	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Application	Haxx	Curl	All	All	All	All

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*:
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@bagder	CVE-2022-42916: a user could bypass the HSTS checks with some "fun" IDN tricks: curl.se/docs/CVE-2022-…	2022-10-26 06:30:05
@oss_security	[SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl): Posted by Daniel Stenberg on Oct 25CVE-2022-42916:… twitter.com/i/web/status/1…	2022-10-26 07:24:06
@TH3FIX3R	curl: CVE-2022-42916: HSTS bypass via IDN ift.tt/ubgRrZ4 #ASEA #ASEAinItaly	2022-10-27 16:43:16
@RedPacketSec	HackerOne Bug Bounty Disclosure: cve-2022-42916:-hsts-bypass-via-idnbykurohiro - redpacketsecurity.com/hackerone-bugb…… twitter.com/i/web/status/1…	2022-10-27 17:01:44
@h1Disclosed	⚡️ CVE-2022-42916: HSTS bypass via IDN ?‍? @kurohiro_x ➟ curl ? Medium ? N/A hackerone.com/reports/1730660 #bugbounty… twitter.com/i/web/status/1…	2022-10-28 07:58:57
@CVEreport	CVE-2022-42916 : In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using… twitter.com/i/web/status/1…	2022-10-29 02:05:33
/r/netcve	CVE-2022-42916	2022-10-29 02:38:51
/r/k12cybersecurity	MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - PATCH: NOW	2023-01-24 14:14:35
/r/synology	DSM Version: 7.2-64561	2023-05-22 03:16:44