CVE-2022-35252
published 2022-09-23CVE-2022-35252: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver…
PriorityP416low3.7CVSS 3.1
AVNACHPRNUINSUCNINAL
EPSS
1.79%
75.5th percentile
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos | >= 11.0 < 11.7.3 | 11.7.3 |
| apple | macos | >= 12.0.0 < 12.6.3 | 12.6.3 |
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| debian | curl | < curl 7.85.0-1 (bookworm) | curl 7.85.0-1 (bookworm) |
| debian | debian_linux | — | — |
| haxx | curl | < 7.85.0 | 7.85.0 |
| haxx | curl | >= 0 < 7.74.0-1.3+deb11u3 | 7.74.0-1.3+deb11u3 |
| haxx | curl | >= 0 < 7.85.0-1 | 7.85.0-1 |
| haxx | curl | >= 0 < 7.85.0-1 | 7.85.0-1 |
| haxx | curl | >= 0 < 7.85.0-1 | 7.85.0-1 |
| https | github.com_curl_curl | — | — |
| msrc | cbl2_curl_7.86.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_curl_7.86.0-1_on_cbl_mariner_1.0 | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
osv3.7LOW
vendor_debian3.7LOW
vendor_msrc3.7LOW
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qc3c-r429-gpgf: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPse
ghsa_unreviewed·2022-09-25
CVE-2022-35252 [LOW] CWE-20 GHSA-qc3c-r429-gpgf: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPse
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
OSV
CVE-2022-35252: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPse
osv·2022-09-23·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPse
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
CISA ICS
Siemens SINEC NMS Third-Party
cisa_ics·2023-05-11·CVSS 9.8
[CRITICAL] Siemens SINEC NMS Third-Party
ICS Advisory
##
Siemens SINEC NMS Third-Party
Release DateMay 11, 2023
Alert CodeICSA-23-131-05
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Third-party components libexpat and libcurl in SINEC NMS
- Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Tran
CISA ICS
Siemens SCALANCE XCM332
cisa_ics·2023-04-13·CVSS 7.5
[HIGH] Siemens SCALANCE XCM332
ICS Advisory
##
Siemens SCALANCE XCM332
Release DateApril 13, 2023
Alert CodeICSA-23-103-09
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM332
- Vulnerabilities: Allocation of Resources Without Limits or Throttling, Use After Free, Concurrent Execution Using Shared Resource with Improper Synchronization ('Race Condition'), Incorrect Default Permissions, Out-of-
Apple
CVE-2022-35252: macOS Big Sur 11.7.3
vendor_apple·2023-01-23·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: macOS Big Sur 11.7.3
Apple Security Update: About the security content of macOS Big Sur 11.7.3
Product: macOS Big Sur
Version: 11.7.3
CVE: CVE-2022-35252
Component: CVE-2022-35252
Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
Apple
CVE-2023-23513: macOS Big Sur 11.7.3
vendor_apple·2023-01-23·CVSS 3.7
CVE-2023-23513 [LOW] CVE-2023-23513: macOS Big Sur 11.7.3
Apple Security Update: About the security content of macOS Big Sur 11.7.3
Product: macOS Big Sur
Version: 11.7.3
CVE: CVE-2023-23513
Component: CVE-2022-35252
Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
Apple
CVE-2022-35252: macOS Monterey 12.6.3
vendor_apple·2023-01-23·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: macOS Monterey 12.6.3
Apple Security Update: About the security content of macOS Monterey 12.6.3
Product: macOS Monterey
Version: 12.6.3
CVE: CVE-2022-35252
Component: CVE-2022-35252
Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
Apple
CVE-2023-23513: macOS Monterey 12.6.3
vendor_apple·2023-01-23·CVSS 3.7
CVE-2023-23513 [LOW] CVE-2023-23513: macOS Monterey 12.6.3
Apple Security Update: About the security content of macOS Monterey 12.6.3
Product: macOS Monterey
Version: 12.6.3
CVE: CVE-2023-23513
Component: CVE-2022-35252
Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
Apple
CVE-2022-35252: macOS Ventura 13.1
vendor_apple·2022-12-13·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: macOS Ventura 13.1
Apple Security Update: About the security content of macOS Ventura 13.1
Product: macOS Ventura
Version: 13.1
CVE: CVE-2022-35252
Component: CVE-2022-35252
Microsoft
When curl is used to retrieve and parse cookies from a HTTP(S) server itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Ef
vendor_msrc·2022-09-13·CVSS 3.7
CVE-2022-35252 [LOW] CWE-20 When curl is used to retrieve and parse cookies from a HTTP(S) server itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Ef
When curl is used to retrieve and parse cookies from a HTTP(S) server itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information.
Ubuntu
curl vulnerability
vendor_ubuntu·2022-09-01
CVE-2022-35252 curl vulnerability
Title: curl vulnerability
Summary: curl could be denied access to a HTTP(S) content if it recieved
a specially crafted cookie.
Axel Chong discovered that when curl accepted and sent back
cookies containing control bytes that a HTTP(S) server might
return a 400 (Bad Request Error) response. A malicious cookie
host could possibly use this to cause denial-of-service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: Incorrect handling of control code characters in cookies
vendor_redhat·2022-08-31·CVSS 3.7
CVE-2022-35252 [LOW] CWE-1286 curl: Incorrect handling of control code characters in cookies
curl: Incorrect handling of control code characters in cookies
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a "sister site" to deny service to siblings and cause a denial of service attack.
Packa
Debian
CVE-2022-35252: curl - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts...
vendor_debian·2022·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: curl - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts...
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Scope: local
bookworm: resolved (fixed in 7.85.0-1)
bullseye: resolved (fixed in 7.74.0-1.3+deb11u3)
forky: resolved (fixed in 7.85.0-1)
sid: resolved (fixed in 7.85.0-1)
trixie: resolved (fixed in 7.85.0-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-35252: control code in cookie denial of service
hackerone·2022-11-05·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: control code in cookie denial of service
CVE-2022-35252: control code in cookie denial of service
https://hackerone.com/reports/1613943
## Impact
control code in cookie denial of service
##CVE-2022-35252: control code in cookie denial of service
##VULNERABILITY
When curl retrieves and parses cookies from an HTTP(S) server, it accepts cookies using control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response. Effectively allowing a "sister site" to deny service to siblings.
We are not aware of any exploit of this flaw.
##INFO
This flaw in the code was initially introduced in curl 4.9 but HTTP(S) servers back then did not generally reject requests using control codes so this mistake did not actually cause problems
HackerOne
CVE-2022-35252: control code in cookie denial of service
hackerone·2022-08-31·CVSS 3.7
CVE-2022-35252 [LOW] CVE-2022-35252: control code in cookie denial of service
CVE-2022-35252: control code in cookie denial of service
## Summary:
I took a look at https://github.com/curl/curl/pull/9048/commits/d7bcbc7d8d4b6d972d3da12d54819169a19c287b (a sneak peek on a vulnerability to be announced tomorrow). My guess for that vulnerability is that since cookies are persistent, someone who can trick curl into storing cookies can store large amounts of cookies into curl cookie store, which will prevent curl from ever interacting with the server (due to large request being generated causing a 400 error)
I found a separate way to do this, curl does not implement character check on cookie name or value when saving to cookie store. So for example a form feed '\f' can be saved in curl's cookie store. When form feed is sent by curl to a server such as Apache, Apache wil
http://seclists.org/fulldisclosure/2023/Jan/20http://seclists.org/fulldisclosure/2023/Jan/21https://hackerone.com/reports/1613943https://lists.debian.org/debian-lts-announce/2023/01/msg00028.htmlhttps://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220930-0005/https://support.apple.com/kb/HT213603https://support.apple.com/kb/HT213604http://seclists.org/fulldisclosure/2023/Jan/20http://seclists.org/fulldisclosure/2023/Jan/21https://hackerone.com/reports/1613943https://lists.debian.org/debian-lts-announce/2023/01/msg00028.htmlhttps://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220930-0005/https://support.apple.com/kb/HT213603https://support.apple.com/kb/HT213604
2022-09-23
Published