{"api_version":"1","generated_at":"2026-04-17T07:47:50+00:00","cve":"CVE-2022-30115","urls":{"html":"https://cve.report/CVE-2022-30115","api":"https://cve.report/api/cve/CVE-2022-30115.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-30115","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-30115"},"summary":{"title":"CVE-2022-30115","description":"Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2022-06-02 14:15:00","updated_at":"2024-03-27 15:01:00"},"problem_types":["CWE-319"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2022/12/21/1","name":"[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN","refsource":"MLIST","tags":[],"title":"oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20220609-0009/","name":"https://security.netapp.com/advisory/ntap-20220609-0009/","refsource":"CONFIRM","tags":[],"title":"June 2022 Libcurl Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202212-01","name":"GLSA-202212-01","refsource":"GENTOO","tags":[],"title":"curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://hackerone.com/reports/1557449","name":"https://hackerone.com/reports/1557449","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/10/26/4","name":"[oss-security] 20221026 [SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl)","refsource":"MLIST","tags":[],"title":"oss-security - [SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-30115","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30115","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h300s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h300s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h410s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h410s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h500s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h500s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"h700s","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"h700s_firmware","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"hci_bootstrap_os","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"netapp","cpe5":"hci_compute_node","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"solidfire\\,_enterprise_sds_\\&_hci_storage_node","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"solidfire_\\&_hci_management_node","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"30115","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"9.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-30115","qid":"184818","title":"Debian Security Update for curl (CVE-2022-30115)"},{"cve":"CVE-2022-30115","qid":"282696","title":"Fedora Security Update for curl (FEDORA-2022-d15a736748)"},{"cve":"CVE-2022-30115","qid":"296082","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)"},{"cve":"CVE-2022-30115","qid":"354292","title":"Amazon Linux Security Advisory for curl : ALAS2022-2022-206"},{"cve":"CVE-2022-30115","qid":"354341","title":"Amazon Linux Security Advisory for curl : ALAS2022-2022-065"},{"cve":"CVE-2022-30115","qid":"354587","title":"Amazon Linux Security Advisory for curl : ALAS-2022-206"},{"cve":"CVE-2022-30115","qid":"355207","title":"Amazon Linux Security Advisory for curl : ALAS2023-2023-083"},{"cve":"CVE-2022-30115","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-30115","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-30115","qid":"502213","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-30115","qid":"503890","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-30115","qid":"591406","title":"Siemens SIMATIC S7-1500 CPU GNU/Linux subsystem Multiple Vulnerabilities (SSB-439005, ICSA-22-104-13)"},{"cve":"CVE-2022-30115","qid":"690868","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for curl (11e36890-d28c-11ec-a06f-d4c9ef517024)"},{"cve":"CVE-2022-30115","qid":"710693","title":"Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)"},{"cve":"CVE-2022-30115","qid":"902162","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882)"},{"cve":"CVE-2022-30115","qid":"902164","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891)"},{"cve":"CVE-2022-30115","qid":"902384","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9891-1)"},{"cve":"CVE-2022-30115","qid":"903772","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (9882-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-30115","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/curl/curl","version":{"version_data":[{"version_value":"Fixed in 7.83.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Missing Required Cryptographic Step (CWE-325)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1557449","url":"https://hackerone.com/reports/1557449"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220609-0009/","url":"https://security.netapp.com/advisory/ntap-20220609-0009/"},{"refsource":"MLIST","name":"[oss-security] 20221026 [SECURITY ADVISORY] CVE-2022-42916: HSTS bypass via IDN (curl)","url":"http://www.openwall.com/lists/oss-security/2022/10/26/4"},{"refsource":"GENTOO","name":"GLSA-202212-01","url":"https://security.gentoo.org/glsa/202212-01"},{"refsource":"MLIST","name":"[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN","url":"http://www.openwall.com/lists/oss-security/2022/12/21/1"}]},"description":{"description_data":[{"lang":"eng","value":"Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL."}]}},"nvd":{"publishedDate":"2022-06-02 14:15:00","lastModifiedDate":"2024-03-27 15:01:00","problem_types":["CWE-319"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"7.82.0","versionEndExcluding":"7.83.1","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:solidfire_\\&_hci_management_node:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:solidfire\\,_enterprise_sds_\\&_hci_storage_node:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}