Vulnerability Description
curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | >= 7.77.0, < 7.86.0 |
| Fedoraproject | Fedora | 35 |
| Netapp | H300S Firmware | - |
| Netapp | H300S | - |
| Netapp | H500S Firmware | - |
| Netapp | H500S | - |
| Netapp | H700S Firmware | - |
| Netapp | H700S | - |
| Netapp | H410S Firmware | - |
| Netapp | H410S | - |
| Netapp | Ontap 9 | - |
| Apple | Macos | >= 12.0.0, < 12.6.3 |
| Splunk | Universal Forwarder | >= 8.2.0, < 8.2.12 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2023/Jan/19Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2023/Jan/20Mailing ListThird Party Advisory
- https://curl.se/docs/CVE-2022-42915.htmlVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202212-01Third Party Advisory
- https://security.netapp.com/advisory/ntap-20221209-0010/Third Party Advisory
- https://support.apple.com/kb/HT213604Third Party Advisory
- https://support.apple.com/kb/HT213605Third Party Advisory
- http://seclists.org/fulldisclosure/2023/Jan/19Mailing ListThird Party Advisory
- http://seclists.org/fulldisclosure/2023/Jan/20Mailing ListThird Party Advisory
- https://curl.se/docs/CVE-2022-42915.htmlVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
FAQ
What is CVE-2022-42915?
CVE-2022-42915 is a vulnerability with a CVSS score of 8.1 (HIGH). curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the pro...
How severe is CVE-2022-42915?
CVE-2022-42915 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-42915?
Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Netapp H300S Firmware, Netapp H300S, Netapp H500S Firmware.