CVE-2022-42916

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
haxxcurl
7.77.0 ≤
𝑥
< 7.86.0
applemacos
𝑥
< 12.6.3
applemacos
13.0 ≤
𝑥
< 13.2
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
ignored
buster
not-affected
bullseye (security)
vulnerable
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
kinetic
Fixed 7.85.0-1ubuntu0.1
released
jammy
Fixed 7.81.0-1ubuntu1.6
released
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2023/Jan/19
http://seclists.org/fulldisclosure/2023/Jan/20
http://www.openwall.com/lists/oss-security/2022/12/21/1
https://curl.se/docs/CVE-2022-42916.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20221209-0010/
https://support.apple.com/kb/HT213604
https://support.apple.com/kb/HT213605
http://seclists.org/fulldisclosure/2023/Jan/19
http://seclists.org/fulldisclosure/2023/Jan/20
http://www.openwall.com/lists/oss-security/2022/12/21/1
https://curl.se/docs/CVE-2022-42916.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20221209-0010/
https://support.apple.com/kb/HT213604
https://support.apple.com/kb/HT213605