CVE-2022-27782 — HIGH (7.5)

Q: How severe is CVE-2022-27782?

CVE-2022-27782 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-27782?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Debian Debian Linux, Splunk Universal Forwarder.

Vulnerability Description

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	< 7.83.1
Debian	Debian Linux	10.0
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12

Related Weaknesses (CWE)

CWE-295 CWE-840

References

http://www.openwall.com/lists/oss-security/2023/03/20/6Mailing List
https://hackerone.com/reports/1555796ExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0009/Third Party Advisory
https://www.debian.org/security/2022/dsa-5197Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2023/03/20/6Mailing List
https://hackerone.com/reports/1555796ExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20220609-0009/Third Party Advisory
https://www.debian.org/security/2022/dsa-5197Mailing ListThird Party Advisory

FAQ

What is CVE-2022-27782?

CVE-2022-27782 is a vulnerability with a CVSS score of 7.5 (HIGH). libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection po...

How severe is CVE-2022-27782?

CVE-2022-27782 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-27782?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Debian Debian Linux, Splunk Universal Forwarder.