CVE-2022-32221

CRITICAL

Haxx Curl < 7.86.0 - Information Disclosure

Title source: rule

Description

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

References (11)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2023/Jan/19

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2023/Jan/20

[Mailing List] http://www.openwall.com/lists/oss-security/2023/05/17/4

[Exploit, Issue Tracking, Third Party Advisory] https://hackerone.com/reports/1704017

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html

[Third Party Advisory] https://security.gentoo.org/glsa/202212-01

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230110-0006/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20230208-0002/

[Third Party Advisory] https://support.apple.com/kb/HT213604

[Third Party Advisory] https://support.apple.com/kb/HT213605

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5330

Scores

CVSS v3 9.8

EPSS 0.0182

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-200 CWE-668

Status published

Affected Products (11)

haxx/curl < 7.86.0

netapp/clustered_data_ontap

netapp/h300s_firmware

netapp/h500s_firmware

netapp/h700s_firmware

netapp/h410s_firmware

debian/debian_linux

debian/debian_linux

apple/macos < 12.6.3

splunk/universal_forwarder < 8.2.12

splunk/universal_forwarder

Timeline

Published Dec 05, 2022

Tracked Since Feb 18, 2026