CVE-2022-22576: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without…

​Siemens RUGGEDCOM ROX ICS Advisory ## ​Siemens RUGGEDCOM ROX Release DateJuly 13, 2023 Alert CodeICSA-23-194-01 ## 1. EXECUTIVE SUMMARY - ​CVSS v3 9.8 - ​ATTENTION: Exploitable remotely / low attack complexity - ​Vendor: Siemens - ​Equipment: RUGGEDCOM ROX - ​Vulnerabilities: Cleartext Transmission of Sensitive Information, Command Injection, Improper Authentication, Classic Buffer Overflow, Uncontrolled Resource Consumption, Improper Certificate Validation, Cross-Site Request Forgery (CSRF), Improper Input Validation, Incorrect Default Permissions, Cross-site Scripting, Inadequate Encryption Strength, Use of a Broken or Risky Cryptographic Algorithm. ## 2. RISK EVALUATION ​Successful exploitation of these vulnerabilities could allow an attacker to send a malformed HTTP packet c

CVE-2022-22576 [HIGH] CWE-306 An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was aut An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S) IMAP(S) POP3(S) and LDAP(S) (openldap only). FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why

CVE-2022-27774 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2022-22576 [HIGH] CWE-287 curl: OAUTH2 bearer bypass in connection re-use curl: OAUTH2 bearer bypass in connection re-use An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor. Package: rh-dotnet31-curl (.NET Core 3.1 on Red Hat Enterprise Linux) - Out of support sc

CVE-2022-22576 [HIGH] CVE-2022-22576: curl - An improper authentication vulnerability exists in curl 7.33.0 to and including ... An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). Scope: local bookworm: resolved (fixed in 7.83.0-1) bullseye: resolved (fixed in 7.74.0-1.3+deb11u2) forky: resolved (fixed in 7.83.0-1) sid: resolved (fixed in 7.83.0-1) trixie: resolved (fixed in 7.83.0-1)

CVE-2022-22576 [HIGH] CWE-287 GHSA-2r69-696x-qxj9: An improper authentication vulnerability exists in curl 7 An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

CVE-2022-22576 [HIGH] CVE-2022-22576: An improper authentication vulnerability exists in curl 7 An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

CVE-2022-22576 [HIGH] curl vulnerabilities curl vulnerabilities Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

[HIGH] Connection Reuse Ignores OAuth Bearer Token Mismatch Connection Reuse Ignores OAuth Bearer Token Mismatch ## Summary: The connection pool reuse function url_match_conn() in lib/url.c checks oauth_bearer in its credential match block — but only for protocols marked as requiring per-connection credentials. For HTTP, OAuth bearer is passed as a header, not a protocol-level credential. If a libcurl application reuses an easy handle to connect to two different API endpoints using different bearer tokens without setting CURLOPT_FRESH_CONNECT=1, the connection pool may serve the second request on the first connection, attaching the WRONG bearer token. This is closely related to the class of bugs that produced CVE-2022-22576 (OAuth2 bearer bypass in connection reuse). ## Affected version Identified in current master ## Steps To Reproduce: Multi-t

[MEDIUM] OAUTH2 bearer not-checked for connection re-use OAUTH2 bearer not-checked for connection re-use libcurl might reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protcols: SMTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl maintains a pool of connections after a transfer has completed. The pool of connections is then gone through when a new transfer is requested and if there's a live connection available that can be reused, it is preferred instead of creating a new one. A connection that is successfully created and authenticated with a user name + OAUTH2 bearer could subsequently be reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer. This could lea

CVE-2022-22576 [HIGH] CVE-2022-22576: OAUTH2 bearer bypass in connection re-use CVE-2022-22576: OAUTH2 bearer bypass in connection re-use ## Summary: A cached connection authenticated with the OAUTH2 mechanisms can be reused by a subsequent request even if the bearer is not correct. This affects SASL-enabled protcols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). An application that can be accessed by more than one user (such as a webmail server) would be affected by this flaw. ## Steps To Reproduce: `curl 'imap://server:port/path/;MAILINDEX=1' --login-options 'AUTH=OAUTHBEARER' -u user: --oauth2-bearer validbearer --next 'imap://server:port/path/;MAILINDEX=1' --login-options 'AUTH=OAUTHBEARER' -u user: --oauth2-bearer anything` ## Supporting Material/References: * Patch 0001-url-check-sasl-additional-parameters-for-connection-.patch fixes this flaw. As