CVE-2022-32208

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
hackeroneCNA
---
---
CVEADP
---
---
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
haxxcurl
7.16.4 ≤
𝑥
< 7.84.0
debiandebian_linux
10.0
debiandebian_linux
11.0
netappclustered_data_ontap
-
netappelement_software
-
netapphci_management_node
-
netappsolidfire
-
netappbootstrap_os
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph410s_firmware
-
applemacos
𝑥
< 13.0
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
kinetic
Fixed 7.84.0-1
released
jammy
Fixed 7.81.0-1ubuntu1.3
released
impish
Fixed 7.74.0-1.3ubuntu2.3
released
focal
Fixed 7.68.0-1ubuntu2.12
released
bionic
Fixed 7.58.0-2ubuntu3.19
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm4
released
trusty
Fixed 7.35.0-1ubuntu2.20+esm11
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://hackerone.com/reports/1590071
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220915-0003/
https://support.apple.com/kb/HT213488
https://www.debian.org/security/2022/dsa-5197
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://hackerone.com/reports/1590071
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220915-0003/
https://support.apple.com/kb/HT213488
https://www.debian.org/security/2022/dsa-5197