Main Vulnerability Database Vulnerabilities #VU70457

#VU70457 Security features bypass in cURL - CVE-2022-43551

Published: December 21, 2022

Vulnerability identifier: #VU70457

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-43551

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists in the way curl handles IDN characters in hostnames. The HSTS mechanism could be bypassed if the hostname in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Then in a subsequent request it does not detect the HSTS state and makes a clear text transfer.

Remediation

Install updates from vendor's website.

External links

https://curl.haxx.se/docs/CVE-2022-43551.html

#VU70457 Security features bypass in cURL - CVE-2022-43551

Description

Remediation

External links

Please verify you're human