CVE-2022-35252
LOWcurl < 7.85.0 - Denial of Service via Cookie Control Code Injection
Title source: llmDescription
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
References (8)
Core 8
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202212-01
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/20
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/21
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html
Exploit, Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1613943
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220930-0005/
Third Party Advisory
https://support.apple.com/kb/HT213603
Third Party Advisory
https://support.apple.com/kb/HT213604
Scores
CVSS v3
3.7
EPSS
0.0029
EPSS Percentile
52.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (14)
apple/macos
11.0 - 11.7.3
debian/debian_linux
10.0
haxx/curl
< 7.85.0
netapp/bootstrap_os
netapp/clustered_data_ontap
netapp/element_software
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500s_firmware
netapp/h700s_firmware
... and 4 more
Published
Sep 23, 2022
Tracked Since
Feb 18, 2026