CVE-2022-27781 — Uncontrolled Resource Consumption in Curl
Severity
7.5HIGHNVD
EPSS
0.1%
top 76.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 2
Latest updateJul 24
Description
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages5 packages
Also affects: Debian Linux 10.0, 11.0
🔴Vulnerability Details
6GHSA▶
GHSA-xgr5-38f7-xqvv: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain↗2022-06-03
OSV▶
CVE-2022-27781: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain↗2022-06-02
CVEList▶
CVE-2022-27781: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain↗2022-06-01
OSV▶
CVE-2022-27781: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain↗2022-05-11
📋Vendor Advisories
5Microsoft▶
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function a malicious server could make libc↗2022-06-14
Debian▶
CVE-2022-27781: curl - libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest d...↗2022