#VU63009 Incorrect Implementation of Authentication Algorithm


Published: 2022-05-11

Vulnerability identifier: #VU63009

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-27782

CWE-ID: CWE-303

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cURL
Client/Desktop applications / Other client software

Vendor: curl.haxx.se

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cURL: 7.16.1 - 7.83.0


CPE

External links
http://curl.haxx.se/docs/CVE-2022-27782.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability