CVE-2022-27775: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a…

CVE-2022-27775 [HIGH] CWE-200 GHSA-fx56-rj7x-688m: An information disclosure vulnerability exists in curl 7 An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

CVE-2022-27775 [HIGH] CVE-2022-27775: An information disclosure vulnerability exists in curl 7 An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

CVE-2022-22576 [HIGH] curl vulnerabilities curl vulnerabilities Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

CVE-2022-27775 [HIGH] CWE-200 An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a conne An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we w

CVE-2022-27774 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2. An attacker could possibly use this issue to access sensitive information. (CVE-2022-22576) Harry Sintonen discovered that curl incorrectly handled certain requests. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-27774, CVE-2022-27775, CVE-2022-27776) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2022-27775 [HIGH] CWE-200 curl: bad local IPv6 connection reuse curl: bad local IPv6 connection reuse An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another. Statement: This flaw does not affect the dotnet product because the version shipped is outside of the affected range. Package: rh-dotnet31-curl (.NET Core 3.1 on Red Hat Enterprise Linux) - Not affected Package: curl (Red Hat Enterpri

CVE-2022-27775 [HIGH] CVE-2022-27775: curl - An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vuln... An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. Scope: local bookworm: resolved (fixed in 7.83.0-1) bullseye: resolved (fixed in 7.74.0-1.3+deb11u2) forky: resolved (fixed in 7.83.0-1) sid: resolved (fixed in 7.83.0-1) trixie: resolved (fixed in 7.83.0-1)

CVE-2022-27775 [HIGH] CVE-2022-27775: Bad local IPv6 connection reuse CVE-2022-27775: Bad local IPv6 connection reuse ## Summary: curl/libcurl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address (and other conditions for connection reuse are fulfilled) it will be reused for connections regardless of the zone index. ## Steps To Reproduce: 1. Set up a fake server: `echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n' | nc -6 -v -l -p 9999` 2. curl "http://[ipv6addr]:9999/x" "http://[ipv6addr%25lo]:9999/y" Both connections arrive to the test server: ``` Listening on :: 9999 Connection received on somehost someport GET /x HTTP/1.1 Host: [ipv6addr]:9999 User-Agent: curl/7.83.0-DEV Accept: */* GET /y HTTP/1.1 Host: [ipv6addr]:9999 User-Agent: curl/7.83.0-DEV Accept: */* ``` Clearly th

CVE-2022-27775 [HIGH] CVE-2022-27775: Bad local IPv6 connection reuse CVE-2022-27775: Bad local IPv6 connection reuse ## Summary: Curl doesn't consider IPv6 address zone index when doing connection reuse. if connection exists to specific IPv6 address (and other conditions for connection reuse are fulfilled) it will be reused for connections regardless of the zone index. ## Steps To Reproduce: 1.Set up a fake server: `echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 6\r\n\r\nHello\n' | nc -6 -v -l -p 9999` 2. curl "http://[ipv6addr]:9999/x" "http://[ipv6addr%25lo]:9999/y" Both connections arrive to the test server: ``` Listening on :: 9999 Connection received on somehost someport GET /x HTTP/1.1 Host: [ipv6addr]:9999 User-Agent: curl/7.83.0-DEV Accept: */* GET /y HTTP/1.1 Host: [ipv6addr]:9999 User-Agent: curl/7.83.0-DEV Accept: */* ``` Clearly the 2nd con