CVE-2022-27776Insufficiently Protected Credentials in Curl

CWE-522Insufficiently Protected Credentials12 documents9 sources
Severity
6.5MEDIUMNVD
OSV8.1
EPSS
0.7%
top 28.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Haxx CurlSplunk Universal ForwarderHttps Github.com Curl Curl+2 more
Timeline
PublishedJun 2
Latest updateJul 12

Description

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

CVEListV5https/github.com_curl_curlfixed in curl 7.83.0
NVDhaxx/curl< 7.83.0
Debianhaxx/curl< 7.74.0-1.3+deb11u2+3
Ubuntuhaxx/curl< 7.58.0-2ubuntu3.17+2
NVDsplunk/universal_forwarder8.2.08.2.12+2

Also affects: Debian Linux 10.0, 11.0, Fedora 36, 37

🔴Vulnerability Details

4
GHSA
GHSA-hc85-wpv5-52wh: A insufficiently protected credentials vulnerability in fixed in curl 72022-06-03
OSV
CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 72022-06-02
CVEList
CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 72022-06-01
OSV
curl vulnerabilities2022-04-28

📋Vendor Advisories

4
Microsoft
HackerOne: CVE-2022-27776 Insufficiently protected credentials vulnerability might leak authentication or cookie header data2022-07-12
Ubuntu
curl vulnerabilities2022-04-28
Red Hat
curl: auth/cookie leak on redirect2022-04-27
Debian
CVE-2022-27776: curl - A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 mig...2022

💬Community

3
HackerOne
Credential leak on redirect2022-05-14
HackerOne
CVE-2022-27776: Auth/cookie leak on redirect2022-04-29
HackerOne
CVE-2022-27776: Auth/cookie leak on redirect2022-04-27
CVE-2022-27776 — Insufficiently Protected Credentials | cvebase