#VU63008 Infinite loop in cURL


Published: 2022-05-11

Vulnerability identifier: #VU63008

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-27781

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when handling requests with the CURLOPT_CERTINFO option. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.34.0 - 7.83.0

CPE

External links
http://curl.haxx.se/docs/CVE-2022-27781.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Splunk Enterprise update for third-party packages
Multiple vulnerabilities in Siemens RUGGEDCOM ROX devices
Splunk Universal Forwarder update for third-party packages
Multiple vulnerabilities in Dell ECS
Multiple vulnerabilities in Dell VxRail Appliance components
Multiple vulnerabilities in Dell PowerScale OneFS
Gentoo update for curl
Amazon Linux AMI update for curl
VMware Tanzu products update for curl
Multiple vulnerabilities in Western Digital My Cloud OS 5