CVE-2022-27779
published 2022-06-02CVE-2022-27779: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.31%
54.9th percentile
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.83.1-1 (bookworm) | curl 7.83.1-1 (bookworm) |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 7.82.0 < 7.83.1 | 7.83.1 |
| https | github.com_curl_curl | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_curl_7.83.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.84.0-1_on_cbl_mariner_1.0 | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt w
vendor_msrc·2022-06-14·CVSS 5.3
CVE-2022-27779 [MEDIUM] CWE-201 libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt w
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro i
Red Hat
curl: cookie for trailing dot TLD
vendor_redhat·2022-05-11·CVSS 5.3
CVE-2022-27779 [MEDIUM] CWE-201 curl: cookie for trailing dot TLD
curl: cookie for trailing dot TLD
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
A vulnerability was found in curl. The issue occurs because curl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if the hostname is provided with a trailing dot. This flaw allo
Debian
CVE-2022-27779: curl - libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost...
vendor_debian·2022·CVSS 5.3
CVE-2022-27779 [MEDIUM] CVE-2022-27779: curl - libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost...
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
Scope: local
bookworm: resolved (fixed in 7.83.1-1)
bullseye: resolved
forky: resolved (fixed in 7.83.1-1)
sid: resolved (fixed in 7.83.1-1)
trixie: resolved (fixed in 7.83.1-1)
GHSA
GHSA-r5c3-3mf2-x8c7: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot
ghsa_unreviewed·2022-06-03
CVE-2022-27779 [MEDIUM] CWE-201 GHSA-r5c3-3mf2-x8c7: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
OSV
CVE-2022-27779: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot
osv·2022-06-02·CVSS 5.3
CVE-2022-27779 [MEDIUM] CVE-2022-27779: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-27779: cookie for trailing dot TLD
hackerone·2022-06-11·CVSS 5.0
CVE-2022-27779 [MEDIUM] CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27779: cookie for trailing dot TLD
Published Advisory: https://curl.se/docs/CVE-2022-27779.html
Original Report: https://hackerone.com/reports/1553301
## Impact
This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. (ie. conduct session fixation attacks.)
cookie for trailing dot TLD
Project curl Security Advisory, May 11 2022 - [Permalink](https://curl.se/docs/CVE-2022-27779.html)
VULNERABILITY
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot.
curl can be told to receive and send cookies. curl's "cookie engine" can be built with or without [Public Suffix List](https://publicsuffix.org/)
awareness. If PSL support not provided, a more rudimentar
HackerOne
CVE-2022-27779: cookie for trailing dot TLD
hackerone·2022-05-11·CVSS 5.0
CVE-2022-27779 [MEDIUM] CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27779: cookie for trailing dot TLD
## Summary:
In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl's "cookie parser has no Public Suffix awareness", but it will "reject TLDs from being allowed". However, a cookie can still be set for a TLD + trailing dot.
A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com
## Steps To Reproduce:
1. Create an Apache file like the following
````
<?php
header("Set-Cookie: a=b; Domain=.me.");
````
2. Now save the cookie to curl and see the cookie is set for .me.
````
curl -c cookies.txt http://localtest.me./index.php
````
cookies.txt:
````
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was ge
2022-06-02
Published