CVE-2022-27782

Published Jun 2, 2022

Last updated 15 days ago

CVSS high 7.5

Libcurl

Overview

Description: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
Source: support@hackerone.com
NVD status: Modified
Products: curl, debian_linux, universal_forwarder

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:N/I:P/A:N

Weaknesses

support@hackerone.com: CWE-840
nvd@nist.gov: CWE-295
134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-295

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "5A6699F9-0644-4957-ABE3-6394FC77FB37",
            "versionEndExcluding": "7.83.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D",
            "versionEndExcluding": "8.2.12",
            "versionStartIncluding": "8.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32",
            "versionEndExcluding": "9.0.6",
            "versionStartIncluding": "9.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

Related CVEs

References