CVE-2022-22576
26.05.2022, 17:15
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| haxx | curl | 7.33.0 ≤ 𝑥 < 7.83.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 11.0 |
| netapp | clustered_data_ontap | - |
| netapp | solidfire_\&_hci_management_node | - |
| netapp | solidfire_\&_hci_storage_node | - |
| brocade | fabric_operating_system | - |
| netapp | bootstrap_os | - |
| netapp | h300s_firmware | - |
| netapp | h500s_firmware | - |
| netapp | h700s_firmware | - |
| netapp | h410s_firmware | - |
| splunk | universal_forwarder | 8.2.0 ≤ 𝑥 < 8.2.12 |
| splunk | universal_forwarder | 9.0.0 ≤ 𝑥 < 9.0.6 |
| splunk | universal_forwarder | 9.1.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| curl |
| ||||||||||||||||||||||||||||||||||||
| libcurl-devel |
| ||||||||||||||||||||||||||||||||||||
| libcurl4 |
| ||||||||||||||||||||||||||||||||||||
| libcurl4-32bit |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| curl |
| ||||||||||||
| curl-minimal |
| ||||||||||||
| libcurl |
| ||||||||||||
| libcurl-devel |
| ||||||||||||
| libcurl-minimal |
|
Common Weakness Enumeration
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
- CWE-306 - Missing Authentication for Critical FunctionThe product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References