{"api_version":"1","generated_at":"2026-04-23T01:14:58+00:00","cve":"CVE-2022-42916","urls":{"html":"https://cve.report/CVE-2022-42916","api":"https://cve.report/api/cve/CVE-2022-42916.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-42916","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-42916"},"summary":{"title":"CVE-2022-42916","description":"In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2022-10-29 02:15:00","updated_at":"2024-03-27 14:59:00"},"problem_types":["CWE-319"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/","name":"FEDORA-2022-39688a779d","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/12/21/1","name":"[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN","refsource":"MLIST","tags":[],"title":"oss-security - curl: CVE-2022-43551: Another HSTS bypass via IDN","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://seclists.org/fulldisclosure/2023/Jan/19","name":"20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: APPLE-SA-2023-01-23-4 macOS Ventura 13.2","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/","name":"FEDORA-2022-e9d65906c4","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2023/Jan/20","name":"20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3","refsource":"FULLDISC","tags":[],"title":"Full Disclosure: APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202212-01","name":"GLSA-202212-01","refsource":"GENTOO","tags":[],"title":"curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/","name":"FEDORA-2022-01ffde372c","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/","name":"FEDORA-2022-01ffde372c","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: curl-7.82.0-9.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://curl.se/docs/CVE-2022-42916.html","name":"https://curl.se/docs/CVE-2022-42916.html","refsource":"MISC","tags":[],"title":"curl - HSTS bypass via IDN - CVE-2022-42916","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.apple.com/kb/HT213604","name":"https://support.apple.com/kb/HT213604","refsource":"CONFIRM","tags":[],"title":"About the security content of macOS Monterey 12.6.3 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/","name":"FEDORA-2022-39688a779d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: curl-7.79.1-7.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://support.apple.com/kb/HT213605","name":"https://support.apple.com/kb/HT213605","refsource":"CONFIRM","tags":[],"title":"About the security content of macOS Ventura 13.2 - Apple Support","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20221209-0010/","name":"https://security.netapp.com/advisory/ntap-20221209-0010/","refsource":"CONFIRM","tags":[],"title":"October 2022 cURL/libcURL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/","name":"FEDORA-2022-e9d65906c4","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: curl-7.85.0-2.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-42916","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42916","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"macos","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42916","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"splunk","cpe5":"universal_forwarder","cpe6":"9.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-42916","qid":"183689","title":"Debian Security Update for curl (CVE-2022-42916)"},{"cve":"CVE-2022-42916","qid":"199008","title":"Ubuntu Security Notification for curl Vulnerabilities (USN-5702-1)"},{"cve":"CVE-2022-42916","qid":"240996","title":"Red Hat Update for JBoss Core Services (RHSA-2022:8840)"},{"cve":"CVE-2022-42916","qid":"283261","title":"Fedora Security Update for curl (FEDORA-2022-01ffde372c)"},{"cve":"CVE-2022-42916","qid":"283302","title":"Fedora Security Update for curl (FEDORA-2022-39688a779d)"},{"cve":"CVE-2022-42916","qid":"283449","title":"Fedora Security Update for curl (FEDORA-2022-e9d65906c4)"},{"cve":"CVE-2022-42916","qid":"296099","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 57.144.3 Missing (CPUAPR2023)"},{"cve":"CVE-2022-42916","qid":"354115","title":"Amazon Linux Security Advisory for curl : ALAS2-2022-1882"},{"cve":"CVE-2022-42916","qid":"354289","title":"Amazon Linux Security Advisory for curl : ALAS2022-2022-246"},{"cve":"CVE-2022-42916","qid":"354553","title":"Amazon Linux Security Advisory for curl : ALAS-2022-246"},{"cve":"CVE-2022-42916","qid":"355207","title":"Amazon Linux Security Advisory for curl : ALAS2023-2023-083"},{"cve":"CVE-2022-42916","qid":"377927","title":"Apple macOS Ventura 13.2 Not Installed (HT213605)"},{"cve":"CVE-2022-42916","qid":"377928","title":"Apple macOS Monterey 12.6.3 Not Installed (HT213604)"},{"cve":"CVE-2022-42916","qid":"378101","title":"NetApp Clustered Data Open Network Technology for Appliance Products (ONTAP) Disclosure of Sensitive Information Denial of Service (DoS) Vulnerability (NTAP-20221209-0010)"},{"cve":"CVE-2022-42916","qid":"378434","title":"Oracle Managed Virtualization (VM) VirtualBox Multiple Vulnerabilities (CPUAPR2023)"},{"cve":"CVE-2022-42916","qid":"378599","title":"Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)"},{"cve":"CVE-2022-42916","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2022-42916","qid":"502573","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-42916","qid":"502575","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-42916","qid":"502717","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-42916","qid":"505613","title":"Alpine Linux Security Update for curl"},{"cve":"CVE-2022-42916","qid":"672494","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1005)"},{"cve":"CVE-2022-42916","qid":"672512","title":"EulerOS Security Update for curl (EulerOS-SA-2023-1030)"},{"cve":"CVE-2022-42916","qid":"691009","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for curl (0f99a30c-7b4b-11ed-9168-080027f5fec9)"},{"cve":"CVE-2022-42916","qid":"710693","title":"Gentoo Linux curl Multiple Vulnerabilities (GLSA 202212-01)"},{"cve":"CVE-2022-42916","qid":"752739","title":"SUSE Enterprise Linux Security Update for curl (SUSE-SU-2022:3785-1)"},{"cve":"CVE-2022-42916","qid":"904433","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11412)"},{"cve":"CVE-2022-42916","qid":"904483","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11369)"},{"cve":"CVE-2022-42916","qid":"904504","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11369-1)"},{"cve":"CVE-2022-42916","qid":"904527","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for curl (11412-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2022-42916","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://curl.se/docs/CVE-2022-42916.html","url":"https://curl.se/docs/CVE-2022-42916.html"},{"refsource":"FEDORA","name":"FEDORA-2022-01ffde372c","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/"},{"refsource":"FEDORA","name":"FEDORA-2022-39688a779d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/"},{"refsource":"FEDORA","name":"FEDORA-2022-e9d65906c4","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20221209-0010/","url":"https://security.netapp.com/advisory/ntap-20221209-0010/"},{"refsource":"GENTOO","name":"GLSA-202212-01","url":"https://security.gentoo.org/glsa/202212-01"},{"refsource":"MLIST","name":"[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN","url":"http://www.openwall.com/lists/oss-security/2022/12/21/1"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213604","url":"https://support.apple.com/kb/HT213604"},{"refsource":"CONFIRM","name":"https://support.apple.com/kb/HT213605","url":"https://support.apple.com/kb/HT213605"},{"refsource":"FULLDISC","name":"20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3","url":"http://seclists.org/fulldisclosure/2023/Jan/20"},{"refsource":"FULLDISC","name":"20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2","url":"http://seclists.org/fulldisclosure/2023/Jan/19"}]}},"nvd":{"publishedDate":"2022-10-29 02:15:00","lastModifiedDate":"2024-03-27 14:59:00","problem_types":["CWE-319"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"7.77.0","versionEndExcluding":"7.86.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionStartIncluding":"13.0","versionEndExcluding":"13.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionEndExcluding":"12.6.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}