CVE-2022-27780
published 2022-06-02CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.18%
40.4th percentile
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.83.1-1 (bookworm) | curl 7.83.1-1 (bookworm) |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.18 | 7.58.0-2ubuntu3.18 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.11 | 7.68.0-1ubuntu2.11 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.2 | 7.81.0-1ubuntu1.2 |
| haxx | curl | >= 7.80.0 < 7.83.1 | 7.83.1 |
| https | github.com_curl_curl | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_curl_7.83.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.84.0-1_on_cbl_mariner_1.0 | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL making it a *different* URL usingthe wrong host name when it is later retrieved.For
vendor_msrc·2022-06-14·CVSS 5.3
CVE-2022-27780 [HIGH] CWE-918 The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL making it a *different* URL usingthe wrong host name when it is later retrieved.For
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL making it a *different* URL usingthe wrong host name when it is later retrieved.For example a URL like `http://example.com%2F127.0.0.1/` would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters checks and more.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is commi
Red Hat
curl: percent-encoded path separator in URL host
vendor_redhat·2022-05-11·CVSS 7.5
CVE-2022-27780 [HIGH] CWE-838 curl: percent-encoded path separator in URL host
curl: percent-encoded path separator in URL host
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
A vulnerability was found in curl. This issue occurs because the curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved. This flaw allows a malicious actor to make circumventing filters.
Package: rh-dotnet3
Ubuntu
curl vulnerabilities
vendor_ubuntu·2022-05-11·CVSS 7.5
CVE-2022-27780 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Axel Chong discovered that curl incorrectly handled percent-encoded URL
separators. A remote attacker could possibly use this issue to trick curl
into using the wrong URL and bypass certain checks or filters. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-27780)
Florian Kohnhuser discovered that curl incorrectly handled returning a
TLS server's certificate chain details. A remote attacker could possibly
use this issue to cause curl to stop responding, resulting in a denial of
service. (CVE-2022-27781)
Harry Sintonen discovered that curl incorrectly reused a previous
connection when certain options had been changed, contrary to expectations.
(CVE-2022-27782)
Instructions: In general, a standard syste
Debian
CVE-2022-27780: curl - The curl URL parser wrongly accepts percent-encoded URL separators like '/'when ...
vendor_debian·2022·CVSS 7.5
CVE-2022-27780 [HIGH] CVE-2022-27780: curl - The curl URL parser wrongly accepts percent-encoded URL separators like '/'when ...
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
Scope: local
bookworm: resolved (fixed in 7.83.1-1)
bullseye: resolved
forky: resolved (fixed in 7.83.1-1)
sid: resolved (fixed in 7.83.1-1)
trixie: resolved (fixed in 7.83.1-1)
GHSA
GHSA-82rv-h33p-2xgc: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usin
ghsa_unreviewed·2022-06-03
CVE-2022-27780 [HIGH] CWE-177 GHSA-82rv-h33p-2xgc: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usin
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
OSV
CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usin
osv·2022-06-02·CVSS 7.5
CVE-2022-27780 [HIGH] CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usin
The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.
OSV
curl vulnerabilities
osv·2022-05-11·CVSS 7.5
CVE-2022-27780 [HIGH] curl vulnerabilities
curl vulnerabilities
Axel Chong discovered that curl incorrectly handled percent-encoded URL
separators. A remote attacker could possibly use this issue to trick curl
into using the wrong URL and bypass certain checks or filters. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-27780)
Florian Kohnhuser discovered that curl incorrectly handled returning a
TLS server's certificate chain details. A remote attacker could possibly
use this issue to cause curl to stop responding, resulting in a denial of
service. (CVE-2022-27781)
Harry Sintonen discovered that curl incorrectly reused a previous
connection when certain options had been changed, contrary to expectations.
(CVE-2022-27782)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-27780: percent-encoded path separator in URL host
hackerone·2022-06-11·CVSS 7.5
CVE-2022-27780 [HIGH] CVE-2022-27780: percent-encoded path separator in URL host
CVE-2022-27780: percent-encoded path separator in URL host
Advisory: https://curl.se/docs/CVE-2022-27780.html
Original Report: https://hackerone.com/reports/1553841
## Impact
URL filter bypasses
percent-encoded path separator in URL host
Project curl Security Advisory, May 11 2022 - [Permalink](https://curl.se/docs/CVE-2022-27780.html)
VULNERABILITY
The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved.
For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/127.0.0.1/`. This flaw can be used to circumvent filters, checks and more.
We are not aware of any expl
HackerOne
CVE-2022-27780: percent-encoded path separator in URL host
hackerone·2022-05-11·CVSS 7.5
CVE-2022-27780 [HIGH] CVE-2022-27780: percent-encoded path separator in URL host
CVE-2022-27780: percent-encoded path separator in URL host
## Summary:
URL decoding the entire proxy string could lead to SSRF filter bypasses. For example,
When the following curl specifies the proxy string `http://example.com%2F127.0.0.1`
- If curl URL parser or another RFC3986 compliant parser parses the initial string http://127.0.0.1%2F.example.com, it will derive 127.0.0.1%2Fexample.com or 127.0.0.1/example.com as the host, if for instance, an SSRF check is used to determine if a host ends with .example.com (.example.com being a allow-listed domain), the check will succeed.
- curl will then URL decode the entire proxy string to http://127.0.0.1/example.com and send it to the server
````
GET http://127.0.0.1/example.com HTTP/1.1
Host: 127.0.0.1/example.com
User-Agent: curl/7.83.0
A
arXiv
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
arxiv_fulltext·2024-02-29
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
Hao Wang^1, Zeyu Gao^1, Chao Zhang^1, Mingyang Sun^2, Yuchen Zhou^3, Han Qiu^1, Xi Xiao^4
Hao Wang, Zeyu Gao, Chao Zhang, Mingyang Sun, Yuchen Zhou, Han Qiu, Xi Xiao
^1Tsinghua University, Beijing, China
^2University of Electronic Science and Technology of China, Chengdu, China
^3Beijing University of Technology, Beijing, China
^4Tsinghua University, Shenzhen, China
hao-wang20,[email protected],chaoz,[email protected]
[email protected],[email protected],[email protected]
Wang, et al.
## Abstract
Binary code similarity detection (BCSD) is a fundamental technique for various application.
Many BCSD solutions have been proposed recently, which mostly are embed
2022-06-02
Published