Main Vulnerability Database Vulnerabilities #VU62644

#VU62644 Information disclosure in cURL - CVE-2022-27776

Published: April 27, 2022

Vulnerability identifier: #VU62644

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-27776

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.

The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).

Remediation

Install updates from vendor's website.

External links

https://curl.haxx.se/docs/CVE-2022-27776.html

#VU62644 Information disclosure in cURL - CVE-2022-27776

Description

Remediation

External links

Please verify you're human