CVE-2022-35252

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
hackeroneCNA
---
---
CVEADP
---
---
CISA-ADPADP
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
haxxcurl
𝑥
< 7.85.0
netappclustered_data_ontap
-
netappelement_software
-
netapphci_management_node
-
netappsolidfire
-
netappbootstrap_os
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph410s_firmware
-
applemacos
11.0 ≤
𝑥
< 11.7.3
applemacos
12.0.0 ≤
𝑥
< 12.6.3
debiandebian_linux
10.0
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
kinetic
Fixed 7.85.0-1
released
jammy
Fixed 7.81.0-1ubuntu1.4
released
focal
Fixed 7.68.0-1ubuntu2.13
released
bionic
Fixed 7.58.0-2ubuntu3.20
released
xenial
Fixed 7.47.0-1ubuntu2.19+esm5
released
trusty
Fixed 7.35.0-1ubuntu2.20+esm12
released
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2023/Jan/20
http://seclists.org/fulldisclosure/2023/Jan/21
https://hackerone.com/reports/1613943
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220930-0005/
https://support.apple.com/kb/HT213603
https://support.apple.com/kb/HT213604
http://seclists.org/fulldisclosure/2023/Jan/20
http://seclists.org/fulldisclosure/2023/Jan/21
https://hackerone.com/reports/1613943
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220930-0005/
https://support.apple.com/kb/HT213603
https://support.apple.com/kb/HT213604