Anolis OS update for curl



| Updated: 2025-03-29
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-32206
CVE-2022-32208
CWE-ID CWE-400
CWE-347
Exploitation vector Network
Public exploit N/A
Vulnerable software
Anolis OS
Operating systems & Components / Operating system

libcurl-minimal
Operating systems & Components / Operating system package or component

libcurl-devel
Operating systems & Components / Operating system package or component

libcurl
Operating systems & Components / Operating system package or component

curl
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU64682

Risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-32206

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure processing of compressed HTTP responses. A malicious server can send a specially crafted HTTP response to curl and perform a denial of service attack by forcing curl to spend enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

libcurl-minimal: before 7.61.1-22

libcurl-devel: before 7.61.1-22

libcurl: before 7.61.1-22

curl: before 7.61.1-22

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0655


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU64685

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-32208

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper handling of message verification failures when performing FTP transfers secured by krb5. A remote attacker can perform MitM attack and manipulate data.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

libcurl-minimal: before 7.61.1-22

libcurl-devel: before 7.61.1-22

libcurl: before 7.61.1-22

curl: before 7.61.1-22

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0655


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###