CVE-2022-42916

HIGH

curl 7.77.0-7.85.0 - Cleartext Transmission of Sensitive Information via IDN Character Bypass

Title source: llm
STIX 2.1

Description

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202212-01
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/12/21/1
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/20
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2023/Jan/19

Scores

CVSS v3 7.5
EPSS 0.0005
EPSS Percentile 14.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-319
Status published
Products (7)
apple/macos < 12.6.3
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
haxx/curl 7.77.0 - 7.86.0
splunk/universal_forwarder 9.1.0
splunk/universal_forwarder 8.2.0 - 8.2.12
Published Oct 29, 2022
Tracked Since Feb 18, 2026