CVE-2022-27778
published 2022-06-02CVE-2022-27778: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
PriorityP341high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
3.45%
87.4th percentile
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.83.1-1 (bookworm) | curl 7.83.1-1 (bookworm) |
| haxx | curl | — | — |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| https | github.com_curl_curl | — | — |
| msrc | cbl2_curl_7.83.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.84.0-1_on_cbl_mariner_1.0 | — | — |
| oracle | mysql_server | <= 5.7.38 | — |
| oracle | mysql_server | 8.0.0 – 8.0.29 | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv8.1HIGH
vendor_debian8.1HIGH
vendor_msrc8.1HIGH
vendor_oracle8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rh8g-j53h-g8xf: A use of incorrectly resolved name vulnerability fixed in 7
ghsa_unreviewed·2022-06-03
CVE-2022-27778 [HIGH] CWE-706 GHSA-rh8g-j53h-g8xf: A use of incorrectly resolved name vulnerability fixed in 7
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
OSV
CVE-2022-27778: A use of incorrectly resolved name vulnerability fixed in 7
osv·2022-06-02·CVSS 8.1
CVE-2022-27778 [HIGH] CVE-2022-27778: A use of incorrectly resolved name vulnerability fixed in 7
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
Oracle
Oracle Oracle MySQL Risk Matrix: Server: Packaging (cURL) — CVE-2022-27778
vendor_oracle·2022-07-15·CVSS 8.1
CVE-2022-27778 [HIGH] Oracle Oracle MySQL Risk Matrix: Server: Packaging (cURL) — CVE-2022-27778
Oracle Oracle MySQL Risk Matrix: Server: Packaging (cURL) vulnerability
CVE: CVE-2022-27778
CVSS: 8.1
Protocol: MySQL Protocol
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2022 (JUL 2022)
Microsoft
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
vendor_msrc·2022-06-14·CVSS 8.1
CVE-2022-27778 [HIGH] CWE-706 A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
hack
Red Hat
curl: removes wrong file on error
vendor_redhat·2022-05-11·CVSS 8.1
CVE-2022-27778 [HIGH] CWE-763 curl: removes wrong file on error
curl: removes wrong file on error
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
A vulnerability was found in curl. The issue occurs when removing the wrong file when "--no-clobber" is used together with "--remove-on-error." This flaw leads to removing files by mistake or by a malicious actor.
Mitigation: Do not use "--no-clobber" with "--remove-on-error"
Package: rh-dotnet31-curl (.NET Core 3.1 on Red Hat Enterprise Linux) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Out of support scope
Package: curl (Red Hat Enterprise Linux 7) - Out of support scope
Package: curl (Red Hat Enterprise Linux 8) - Not affected
Package: curl (Red Hat Enterprise Linux 9) - Not a
Debian
CVE-2022-27778: curl - A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove th...
vendor_debian·2022·CVSS 8.1
CVE-2022-27778 [HIGH] CVE-2022-27778: curl - A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove th...
A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.
Scope: local
bookworm: resolved (fixed in 7.83.1-1)
bullseye: resolved
forky: resolved (fixed in 7.83.1-1)
sid: resolved (fixed in 7.83.1-1)
trixie: resolved (fixed in 7.83.1-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-27778: curl removes wrong file on error
hackerone·2022-05-12·CVSS 8.1
CVE-2022-27778 [HIGH] CVE-2022-27778: curl removes wrong file on error
CVE-2022-27778: curl removes wrong file on error
## Summary:
Curl command has a logic flaw that results in removal of a wrong file when combining `--no-clobber` and `--remove-on-error` if the target file name exists and an error occurs.
## Steps To Reproduce:
1. `echo "important file" > foo`
2. `echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999`
3. `curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/`
4. `ls -l foo*`
5. `cat foo.1`
`-m 3` is used here to simulate a denial of service of the connection performed by the attacker.
## Impact
Removal of a file that was supposed not to be overwritten (data loss). Incomplete file left of disk when it should have been removed. This can lead to potential loss of integrity or availabil
HackerOne
CVE-2022-27778: curl removes wrong file on error
hackerone·2022-05-11·CVSS 8.1
CVE-2022-27778 [HIGH] CVE-2022-27778: curl removes wrong file on error
CVE-2022-27778: curl removes wrong file on error
## Summary:
Curl command has a logic flaw that results in removal of a wrong file when combining `--no-clobber` and `--remove-on-error` if the target file name exists and an error occurs.
## Steps To Reproduce:
1. `echo "important file" > foo`
2. `echo -ne "HTTP/1.1 200 OK\r\nContent-Length: 666\r\n\r\nHello\n" | nc -l -p 9999`
3. `curl -m 3 --no-clobber --remove-on-error --output foo http://testserver.tld:9999/`
4. `ls -l foo*`
5. `cat foo.1`
`-m 3` is used here to simulate a denial of service of the connection performed by the attacker.
The bug appears to happen because the remote-on-error `unlink` is called without considering the no-clobber generated file name:
- no-clobber name generation; https://github.com/curl/curl/blob/3fd1d8df3
https://hackerone.com/reports/1553598https://security.netapp.com/advisory/ntap-20220609-0009/https://security.netapp.com/advisory/ntap-20220729-0004/https://www.oracle.com/security-alerts/cpujul2022.htmlhttps://hackerone.com/reports/1553598https://security.netapp.com/advisory/ntap-20220609-0009/https://security.netapp.com/advisory/ntap-20220729-0004/https://www.oracle.com/security-alerts/cpujul2022.html
2022-06-02
Published