CVE-2022-42916

EUVD-2022-45973
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
haxxcurl
7.77.0 ≤
𝑥
< 7.86.0
applemacos
𝑥
< 12.6.3
applemacos
13.0 ≤
𝑥
< 13.2
splunkuniversal_forwarder
8.2.0 ≤
𝑥
< 8.2.12
splunkuniversal_forwarder
9.0.0 ≤
𝑥
< 9.0.6
splunkuniversal_forwarder
9.1.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
ignored
bullseye (security)
vulnerable
buster
not-affected
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
not-affected
jammy
Fixed 7.81.0-1ubuntu1.6
released
kinetic
Fixed 7.85.0-1ubuntu0.1
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2023/Jan/19
http://seclists.org/fulldisclosure/2023/Jan/20
http://www.openwall.com/lists/oss-security/2022/12/21/1
https://curl.se/docs/CVE-2022-42916.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20221209-0010/
https://support.apple.com/kb/HT213604
https://support.apple.com/kb/HT213605
http://seclists.org/fulldisclosure/2023/Jan/19
http://seclists.org/fulldisclosure/2023/Jan/20
http://www.openwall.com/lists/oss-security/2022/12/21/1
https://curl.se/docs/CVE-2022-42916.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20221209-0010/
https://support.apple.com/kb/HT213604
https://support.apple.com/kb/HT213605