CVE-2022-42916

UNKNOWN

Published 2022-10-29T00:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-42916. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-6295-5j29-3cc8

Advisory Details

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-42916

WEB https://curl.se/docs/CVE-2022-42916.html

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK

WEB https://security.gentoo.org/glsa/202212-01

WEB https://security.netapp.com/advisory/ntap-20221209-0010

WEB https://support.apple.com/kb/HT213604

WEB https://support.apple.com/kb/HT213605

WEB http://seclists.org/fulldisclosure/2023/Jan/19

WEB http://seclists.org/fulldisclosure/2023/Jan/20

WEB http://www.openwall.com/lists/oss-security/2022/12/21/1

Advisory provided by GitHub Security Advisory Database. Published: October 29, 2022, Modified: March 27, 2024

References

https://curl.se/docs/CVE-2022-42916.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/

https://security.netapp.com/advisory/ntap-20221209-0010/

https://security.gentoo.org/glsa/202212-01

http://www.openwall.com/lists/oss-security/2022/12/21/1

https://support.apple.com/kb/HT213604

https://support.apple.com/kb/HT213605

http://seclists.org/fulldisclosure/2023/Jan/20

http://seclists.org/fulldisclosure/2023/Jan/19

HackerOne Reports

CVE-2022-43551: Another HSTS bypass via IDN Medium

kurohiro

curl

Cleartext Transmission of Sensitive Information

View Report

Published: 2022-10-29T00:00:00

Last Modified: 2024-08-03T13:19:05.420Z

Copied to clipboard!

CVE-2022-42916

Expert Analysis

Description

Available Exploits

Related News

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!