CVE-2022-32208Out-of-bounds Write in Curl

CWE-840CWE-787Out-of-bounds WriteCWE-924Improper Enforcement of Message Integrity During Transmission in a Communication Channel13 documents10 sources
Severity
5.9MEDIUMNVD
OSV7.5
EPSS
0.2%
top 62.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Haxx CurlApple MacosSplunk Universal Forwarder+3 more
Timeline
PublishedJul 7
Latest updateOct 24

Description

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

NVDhaxx/curl7.16.47.84.0
Debianhaxx/curl< 7.74.0-1.3+deb11u2+3
Ubuntuhaxx/curl< 7.35.0-1ubuntu2.20+esm11+1
CVEListV5https/github.com_curl_curlFixed in 7.84.0
NVDapple/macos< 13.0

Also affects: Debian Linux 10.0, 11.0, Fedora 35

🔴Vulnerability Details

4
GHSA
GHSA-gfg8-2cqc-6cmc: When curl < 72022-07-08
CVEList
CVE-2022-32208: When curl < 72022-07-07
OSV
CVE-2022-32208: When curl < 72022-07-07
OSV
curl vulnerabilities2022-07-01

📋Vendor Advisories

6
Apple
CVE-2022-32208: macOS Ventura 132022-10-24
Microsoft
When curl < 7.84.0 does FTP transfers secured by krb5 it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to2022-07-12
Ubuntu
curl vulnerabilities2022-07-01
Ubuntu
curl vulnerabilities2022-06-27
Red Hat
curl: FTP-KRB bad message verification2022-06-27

💬Community

2
HackerOne
CVE-2022-32208: FTP-KRB bad message verification2022-06-27
HackerOne
CVE-2022-32208: FTP-KRB bad message verification2022-06-27
CVE-2022-32208 — Out-of-bounds Write in Haxx Curl | cvebase