CVE-2022-30115
published 2022-06-02CVE-2022-30115: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.11%
28.9th percentile
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.83.1-1 (bookworm) | curl 7.83.1-1 (bookworm) |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 0 < 7.83.1-1 | 7.83.1-1 |
| haxx | curl | >= 7.82.0 < 7.83.1 | 7.83.1 |
| https | github.com_curl_curl | — | — |
| msrc | cbl2_curl_7.83.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.84.0-1_on_cbl_mariner_1.0 | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p8vh-85vc-66x9: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in th
ghsa_unreviewed·2022-06-03
CVE-2022-30115 [MEDIUM] CWE-319 GHSA-p8vh-85vc-66x9: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in th
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
OSV
CVE-2022-30115: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in th
osv·2022-06-02·CVSS 4.3
CVE-2022-30115 [MEDIUM] CVE-2022-30115: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in th
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
Microsoft
Using its HSTS support curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host
vendor_msrc·2022-06-14·CVSS 4.3
CVE-2022-30115 [MEDIUM] CWE-319 Using its HSTS support curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host
Using its HSTS support curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is c
Red Hat
curl: HSTS bypass via trailing dot
vendor_redhat·2022-05-11·CVSS 4.3
CVE-2022-30115 [MEDIUM] CWE-319 curl: HSTS bypass via trailing dot
curl: HSTS bypass via trailing dot
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
A vulnerability was found in curl. This issue occurs because when using its HTTP Strict Transport Security(HSTS) support, it can instruct curl to use HTTPS directly instead of using an insecure clear text HTTP step even when HTTP is provided in the URL. This flaw leads to a clear text transmission of sensitive information.
Package: rh-dotnet31-curl (.NET
Debian
CVE-2022-30115: curl - Using its HSTS support, curl can be instructed to use HTTPS directly insteadof u...
vendor_debian·2022·CVSS 4.3
CVE-2022-30115 [MEDIUM] CVE-2022-30115: curl - Using its HSTS support, curl can be instructed to use HTTPS directly insteadof u...
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and *not* using thetrailing dot in the URL.
Scope: local
bookworm: resolved (fixed in 7.83.1-1)
bullseye: resolved
forky: resolved (fixed in 7.83.1-1)
sid: resolved (fixed in 7.83.1-1)
trixie: resolved (fixed in 7.83.1-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-43551: Another HSTS bypass via IDN
hackerone·2023-02-03·CVSS 4.3
CVE-2022-43551 [MEDIUM] CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43551: Another HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1755083
## Impact
HSTS bypass.
CVE-2022-43551: Another HSTS bypass via IDN
Project curl Security Advisory, December 21 2022 -
[Permalink](https://curl.se/docs/CVE-2022-43551.html)
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using
an insecure clear-text HTTP step even when HTTP is provided in the URL.
The HSTS mechanism could be bypassed if the host name in the given URL first
uses IDN characters that get replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP)
instead of the common ASCII full stop (U+002E) `.`. Then in
HackerOne
CVE-2022-42916: HSTS bypass via IDN
hackerone·2022-11-03·CVSS 4.3
CVE-2022-42916 [MEDIUM] CVE-2022-42916: HSTS bypass via IDN
CVE-2022-42916: HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1730660
## Impact
HSTS bypass.
###CVE-2022-42916: HSTS bypass via IDN
###VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) ..
Like this: http://curl。se。
We are not aware of any exploit of this flaw.
###INFO
This flaw was introduced in [commit 7385610
HackerOne
CVE-2022-30115: HSTS bypass via trailing dot
hackerone·2022-06-11·CVSS 4.3
CVE-2022-30115 [MEDIUM] CVE-2022-30115: HSTS bypass via trailing dot
CVE-2022-30115: HSTS bypass via trailing dot
Advisory: https://curl.se/docs/CVE-2022-30115.html
Original Report: https://hackerone.com/reports/1557449
## Impact
HSTS bypass
HSTS bypass via trailing dot
Project curl Security Advisory, May 11 2022 - [Permalink](https://curl.se/docs/CVE-2022-30115.html)
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. Or the other way around - by having the trailing dot in the HSTS cache and *not* using the trailing dot in the U
HackerOne
CVE-2022-30115: HSTS bypass via trailing dot
hackerone·2022-05-11·CVSS 4.3
CVE-2022-30115 [MEDIUM] CVE-2022-30115: HSTS bypass via trailing dot
CVE-2022-30115: HSTS bypass via trailing dot
curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache.
If the trailing dot is used, the HSTS check will be bypassed.
If a user has a preloaded hsts.txt:
``````
# Your HSTS cache. https://curl.se/docs/hsts.html
# This file was generated by libcurl! Edit at your own risk.
accounts.google.com "20230503 08:47:52"
``````
Doing the following:
``````
curl --hsts hsts.txt http://accounts.google.com.
``````
Will cause accounts.google.com to be loaded over HTTP
``````
301 Moved
301 Moved
The document has moved
here.
``````
This issue has been raised in other HTTP clients before such as in https://bugs.chromium.org/p/chromium/issues/detail?id=461481 an
http://www.openwall.com/lists/oss-security/2022/10/26/4http://www.openwall.com/lists/oss-security/2022/12/21/1https://hackerone.com/reports/1557449https://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220609-0009/http://www.openwall.com/lists/oss-security/2022/10/26/4http://www.openwall.com/lists/oss-security/2022/12/21/1https://hackerone.com/reports/1557449https://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220609-0009/
2022-06-02
Published