CVE-2022-27780: percent-encoded path separator in URL host
Team Summary
Official summary from Internet Bug Bounty
percent-encoded path separator in URL host ========================================== Project curl Security Advisory, May 11 2022 - [Permalink](https://curl.se/docs/CVE-2022-27780.html) VULNERABILITY ------------- The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/127.0.0.1/`. This flaw can be used to circumvent filters, checks and more. We are not aware of any exploit of this flaw. INFO ---- This flaw was introduced in [commit 9a8564a920188e](https://github.com/curl/curl/commit/9a8564a920188e), shipped in curl [7.80.0](https://curl.se/docs/vuln-7.80.0.html) when curl added support for percent-encoded host names in URLs. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27780 to this issue. CWE-177: Improper Handling of URL Encoding Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl [7.80.0](https://curl.se/docs/vuln-7.80.0.html) to and including [7.83.0](https://curl.se/docs/vuln-7.83.0.html) - Not affected versions: curl < [7.83.0](https://curl.se/docs/vuln-7.83.0.html) and curl >= [7.83.1](https://curl.se/docs/vuln-7.83.1.html) libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ The URL parser now rejects host names that percent-decode into URL separator characters. A [fix for CVE-2022-27780](https://github.com/curl/curl/commit/914aaab9153764e) RECOMMENDATIONS -------------- A - Upgrade curl to version [7.83.1](https://curl.se/docs/vuln-7.83.1.html) B - Apply the patch to your local version TIMELINE -------- This issue was reported to the curl project on April 28, 2022. We contacted distros@openwall on May 5. libcurl [7.83.1](https://curl.se/docs/vuln-7.83.1.html) was released on May 11 2022, coordinated with the publication of this advisory. CREDITS ------- This issue was reported by [Axel Chong](https://hackerone.com/haxatron1). Patched by Daniel Stenberg. LINK TO THE ADVISORY ---------------------- https://curl.se/docs/CVE-2022-27780.html
Vulnerability Details
Technical details and impact analysis
Related CVEs
Associated Common Vulnerabilities and Exposures
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan …
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Input Validation