CVE-2022-42916 — HIGH (7.5)

Q: How severe is CVE-2022-42916?

CVE-2022-42916 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-42916?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Apple Macos, Splunk Universal Forwarder.

Vulnerability Description

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Curl	>= 7.77.0, < 7.86.0
Fedoraproject	Fedora	35
Apple	Macos	< 12.6.3
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12

Related Weaknesses (CWE)

CWE-319

References

http://seclists.org/fulldisclosure/2023/Jan/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2023/Jan/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2022/12/21/1Mailing ListThird Party Advisory
https://curl.se/docs/CVE-2022-42916.htmlVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0010/Broken Link
https://support.apple.com/kb/HT213604Third Party Advisory
https://support.apple.com/kb/HT213605Third Party Advisory
http://seclists.org/fulldisclosure/2023/Jan/19Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2023/Jan/20Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2022/12/21/1Mailing ListThird Party Advisory
https://curl.se/docs/CVE-2022-42916.htmlVendor Advisory

FAQ

What is CVE-2022-42916?

CVE-2022-42916 is a vulnerability with a CVSS score of 7.5 (HIGH). In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext...

How severe is CVE-2022-42916?

CVE-2022-42916 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-42916?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Curl, Fedoraproject Fedora, Apple Macos, Splunk Universal Forwarder.