CVE-2022-42916
published 2022-10-29CVE-2022-42916: In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.64%
73.4th percentile
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos | < 12.6.3 | 12.6.3 |
| apple | macos | >= 13.0 < 13.2 | 13.2 |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| debian | curl | < curl 7.86.0-1 (bookworm) | curl 7.86.0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| haxx | curl | >= 0 < 7.86.0-1 | 7.86.0-1 |
| haxx | curl | >= 0 < 7.86.0-1 | 7.86.0-1 |
| haxx | curl | >= 0 < 7.86.0-1 | 7.86.0-1 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.21 | 7.58.0-2ubuntu3.21 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.14 | 7.68.0-1ubuntu2.14 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.6 | 7.81.0-1ubuntu1.6 |
| haxx | curl | >= 7.77.0 < 7.86.0 | 7.86.0 |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.11.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_curl_7.86.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SINEC NMS Third-Party
cisa_ics·2023-05-11·CVSS 9.8
[CRITICAL] Siemens SINEC NMS Third-Party
ICS Advisory
##
Siemens SINEC NMS Third-Party
Release DateMay 11, 2023
Alert CodeICSA-23-131-05
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Third-party components libexpat and libcurl in SINEC NMS
- Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Tran
Oracle
Oracle Oracle Virtualization Risk Matrix: Core (cURL) — CVE-2022-42916
vendor_oracle·2023-04-15·CVSS 7.5
CVE-2022-42916 [HIGH] Oracle Oracle Virtualization Risk Matrix: Core (cURL) — CVE-2022-42916
Oracle Oracle Virtualization Risk Matrix: Core (cURL) vulnerability
CVE: CVE-2022-42916
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Apple
CVE-2022-42916: macOS Ventura 13.2
vendor_apple·2023-01-23·CVSS 7.5
CVE-2022-42916 [HIGH] CVE-2022-42916: macOS Ventura 13.2
Apple Security Update: About the security content of macOS Ventura 13.2
Product: macOS Ventura
Version: 13.2
CVE: CVE-2022-42916
Component: CVE-2022-42916
Apple
CVE-2022-42916: macOS Monterey 12.6.3
vendor_apple·2023-01-23·CVSS 7.5
CVE-2022-42916 [HIGH] CVE-2022-42916: macOS Monterey 12.6.3
Apple Security Update: About the security content of macOS Monterey 12.6.3
Product: macOS Monterey
Version: 12.6.3
CVE: CVE-2022-42916
Component: CVE-2022-42916
Red Hat
curl: HSTS bypass via IDN
vendor_redhat·2022-10-26·CVSS 7.5
CVE-2022-42916 [HIGH] CWE-319 curl: HSTS bypass via IDN
curl: HSTS bypass via IDN
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly
Ubuntu
curl vulnerabilities
vendor_ubuntu·2022-10-26·CVSS 9.8
CVE-2022-32221 [CRITICAL] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Robby Simpson discovered that curl incorrectly handled certain POST
operations after PUT operations. This issue could cause applications using
curl to send the wrong data, perform incorrect memory operations, or crash.
(CVE-2022-32221)
Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc
files. If an attacker were able to provide a specially crafted .netrc file,
this issue could cause curl to crash, resulting in a denial of service.
This issue only affected Ubuntu 22.10. (CVE-2022-35260)
It was discovered that curl incorrectly handled certain HTTP proxy return
codes. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbit
Microsoft
In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext H
vendor_msrc·2022-10-11·CVSS 7.5
CVE-2022-42916 [HIGH] CWE-319 In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext H
In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion e.g. using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux d
Debian
CVE-2022-42916: curl - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying...
vendor_debian·2022·CVSS 7.5
CVE-2022-42916 [HIGH] CVE-2022-42916: curl - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying...
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
Scope: local
bookworm: resolved (fixed in 7.86.0-1)
bullseye: open
forky: resolved (fixed in 7.86.0-1)
sid: resolved (fixed in 7.86.0-1)
trixie: resolved (fixed in 7.86.0-1)
OSV
CVE-2022-42916: In curl before 7
osv·2022-10-29·CVSS 7.5
CVE-2022-42916 [HIGH] CVE-2022-42916: In curl before 7
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
GHSA
GHSA-6295-5j29-3cc8: In curl before 7
ghsa_unreviewed·2022-10-29
CVE-2022-42916 [HIGH] CWE-319 GHSA-6295-5j29-3cc8: In curl before 7
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
OSV
curl vulnerabilities
osv·2022-10-26·CVSS 9.8
CVE-2022-32221 [CRITICAL] curl vulnerabilities
curl vulnerabilities
Robby Simpson discovered that curl incorrectly handled certain POST
operations after PUT operations. This issue could cause applications using
curl to send the wrong data, perform incorrect memory operations, or crash.
(CVE-2022-32221)
Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc
files. If an attacker were able to provide a specially crafted .netrc file,
this issue could cause curl to crash, resulting in a denial of service.
This issue only affected Ubuntu 22.10. (CVE-2022-35260)
It was discovered that curl incorrectly handled certain HTTP proxy return
codes. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 22.04 LTS, and Ubu
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-43551: Another HSTS bypass via IDN
hackerone·2023-02-03·CVSS 4.3
CVE-2022-43551 [MEDIUM] CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43551: Another HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1755083
## Impact
HSTS bypass.
CVE-2022-43551: Another HSTS bypass via IDN
Project curl Security Advisory, December 21 2022 -
[Permalink](https://curl.se/docs/CVE-2022-43551.html)
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using
an insecure clear-text HTTP step even when HTTP is provided in the URL.
The HSTS mechanism could be bypassed if the host name in the given URL first
uses IDN characters that get replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP)
instead of the common ASCII full stop (U+002E) `.`. Then in
HackerOne
CVE-2022-43551: Another HSTS bypass via IDN
hackerone·2022-12-21·CVSS 7.5
CVE-2022-43551 [HIGH] CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43551: Another HSTS bypass via IDN
## Summary:
I found an issue similar to CVE-2022-42916 again.
Since the phenomenon is the same, I will describe the same as last time.
HSTS checks are bypassed if any character in the IDN convert(Nameprep) to a '.'
for example"。"(UTF-8:E38082).
I think there are other characters that become ".(UTF-8:2E)" as a result of converting with IDN.
This is because the host name before IDN conversion is used when writing to the HSTS cache.
## Steps To Reproduce:
[add details for how we can reproduce the issue]
1. Start from a state where there is no entry for the access destination host name in the HSTS cache
2. `curl -v --hsts hsts.txt https://accounts.google%E3%80%82com`
3. `curl -v --hsts hsts.txt http://accounts.google%E3%80%82com`
Result of 3.
`
HackerOne
CVE-2022-42916: HSTS bypass via IDN
hackerone·2022-11-03·CVSS 4.3
CVE-2022-42916 [MEDIUM] CVE-2022-42916: HSTS bypass via IDN
CVE-2022-42916: HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1730660
## Impact
HSTS bypass.
###CVE-2022-42916: HSTS bypass via IDN
###VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) ..
Like this: http://curl。se。
We are not aware of any exploit of this flaw.
###INFO
This flaw was introduced in [commit 7385610
HackerOne
CVE-2022-42916: HSTS bypass via IDN
hackerone·2022-10-27·CVSS 7.5
CVE-2022-42916 [HIGH] CVE-2022-42916: HSTS bypass via IDN
CVE-2022-42916: HSTS bypass via IDN
## Summary:
HSTS checks are bypassed if any character in the IDN convert(Nameprep) to a '.'
for example"。"(UTF-8:E38082).
I think there are other characters that become ".(UTF-8:2E)" as a result of converting with IDN.
'。(UTF-8:E38082)' is converted to '.' so it doesn't matter if it's last or not.
So the same thing happens with "http://accounts.google.com。" as well as "http://accounts.google。com".
## Steps To Reproduce:
`curl -v --hsts hsts.txt http://accounts.google.com。`
I prepared "test.sh" because I was worried about whether I could try it in an environment without Japanese fonts. The character encoding is UTF-8.
hsts:txt:
```
# Your HSTS cache. https://curl.se/docs/hsts.html
# This file was generated by libcurl! Edit at your own risk.
.accounts.
http://seclists.org/fulldisclosure/2023/Jan/19http://seclists.org/fulldisclosure/2023/Jan/20http://www.openwall.com/lists/oss-security/2022/12/21/1https://curl.se/docs/CVE-2022-42916.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/https://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20221209-0010/https://support.apple.com/kb/HT213604https://support.apple.com/kb/HT213605http://seclists.org/fulldisclosure/2023/Jan/19http://seclists.org/fulldisclosure/2023/Jan/20http://www.openwall.com/lists/oss-security/2022/12/21/1https://curl.se/docs/CVE-2022-42916.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/https://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20221209-0010/https://support.apple.com/kb/HT213604https://support.apple.com/kb/HT213605
2022-10-29
Published