CVE-2022-27782 — Improper Certificate Validation in Curl
Severity
7.5HIGHNVD
EPSS
0.5%
top 35.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 2
Latest updateJan 15
Description
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 10.0, 11.0
🔴Vulnerability Details
4GHSA▶
GHSA-x38v-8q6p-w65c: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse↗2022-06-03
OSV▶
CVE-2022-27782: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse↗2022-06-02
CVEList▶
CVE-2022-27782: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse↗2022-06-01
📋Vendor Advisories
6Microsoft▶
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection po↗2022-06-14