CVE-2022-43551
published 2022-12-23CVE-2022-43551: A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
17.01%
96.7th percentile
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_ventura | — | — |
| debian | curl | < curl 7.86.0-3 (bookworm) | curl 7.86.0-3 (bookworm) |
| fedoraproject | fedora | — | — |
| haxx | curl | >= 0 < 7.86.0-3 | 7.86.0-3 |
| haxx | curl | >= 0 < 7.86.0-3 | 7.86.0-3 |
| haxx | curl | >= 0 < 7.86.0-3 | 7.86.0-3 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.22 | 7.58.0-2ubuntu3.22 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.15 | 7.68.0-1ubuntu2.15 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.7 | 7.81.0-1ubuntu1.7 |
| haxx | curl | >= 7.77.0 < 7.87.0 | 7.87.0 |
| https | github.com_curl_curl | — | — |
| msrc | azl3_cmake_3.21.4-10_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.11.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cmake_3.21.4-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_curl_7.86.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Siemens SINEC NMS Third-Party
cisa_ics·2023-05-11·CVSS 9.8
[CRITICAL] Siemens SINEC NMS Third-Party
ICS Advisory
##
Siemens SINEC NMS Third-Party
Release DateMay 11, 2023
Alert CodeICSA-23-131-05
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Third-party components libexpat and libcurl in SINEC NMS
- Vulnerabilities: Expected Behavior Violation, Improper Validation of Syntactic Correctness of Input, Stack-based Buffer Overflow, Use After Free, Double Free, Cleartext Tran
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (cURL) — CVE-2022-43551
vendor_oracle·2023-04-15·CVSS 7.5
CVE-2022-43551 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (cURL) — CVE-2022-43551
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (cURL) vulnerability
CVE: CVE-2022-43551
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Apple
CVE-2022-43551: macOS Ventura 13.3
vendor_apple·2023-03-27·CVSS 7.5
CVE-2022-43551 [HIGH] CVE-2022-43551: macOS Ventura 13.3
Apple Security Update: About the security content of macOS Ventura 13.3
Product: macOS Ventura
Version: 13.3
CVE: CVE-2022-43551
Component: CVE-2022-43551
Ubuntu
curl vulnerabilities
vendor_ubuntu·2023-01-05·CVSS 7.5
CVE-2022-43551 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Hiroki Kurosawa discovered that curl incorrectly handled HSTS support
when certain hostnames included IDN characters. A remote attacker could
possibly use this issue to cause curl to use unencrypted connections. This
issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-43551)
It was discovered that curl incorrectly handled denials when using HTTP
proxies. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-43552)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: HSTS bypass via IDN
vendor_redhat·2022-12-21·CVSS 7.5
CVE-2022-43551 [HIGH] CWE-319 curl: HSTS bypass via IDN
curl: HSTS bypass via IDN
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
A vulnerability was found in curl. The issue can occur wh
Microsoft
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support curl can be instructed to use HTTPS instead of using an insecure clear-t
vendor_msrc·2022-12-13·CVSS 7.5
CVE-2022-43551 [HIGH] CWE-319 A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support curl can be instructed to use HTTPS instead of using an insecure clear-t
A vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
hackerone: hackerone
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/az
Debian
CVE-2022-43551: curl - A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to tric...
vendor_debian·2022·CVSS 7.5
CVE-2022-43551 [HIGH] CVE-2022-43551: curl - A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to tric...
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
Scope: local
bookworm: resolved (fixed in 7.86.0-3)
bullseye: open
forky: resolved (f
OSV
curl vulnerabilities
osv·2023-01-05·CVSS 7.5
CVE-2022-43551 [HIGH] curl vulnerabilities
curl vulnerabilities
Hiroki Kurosawa discovered that curl incorrectly handled HSTS support
when certain hostnames included IDN characters. A remote attacker could
possibly use this issue to cause curl to use unencrypted connections. This
issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-43551)
It was discovered that curl incorrectly handled denials when using HTTP
proxies. A remote attacker could use this issue to cause curl to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-43552)
GHSA
GHSA-25m2-mpq4-29vh: A vulnerability exists in curl <7
ghsa_unreviewed·2022-12-23
CVE-2022-43551 [HIGH] CWE-319 GHSA-25m2-mpq4-29vh: A vulnerability exists in curl <7
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
OSV
CVE-2022-43551: A vulnerability exists in curl <7
osv·2022-12-23·CVSS 7.5
CVE-2022-43551 [HIGH] CVE-2022-43551: A vulnerability exists in curl <7
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-43551: Another HSTS bypass via IDN
hackerone·2023-02-03·CVSS 4.3
CVE-2022-43551 [MEDIUM] CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43551: Another HSTS bypass via IDN
Original Report:https://hackerone.com/reports/1755083
## Impact
HSTS bypass.
CVE-2022-43551: Another HSTS bypass via IDN
Project curl Security Advisory, December 21 2022 -
[Permalink](https://curl.se/docs/CVE-2022-43551.html)
VULNERABILITY
curl's HSTS check could be bypassed to trick it to keep using HTTP.
Using its HSTS support, curl can be instructed to use HTTPS instead of using
an insecure clear-text HTTP step even when HTTP is provided in the URL.
The HSTS mechanism could be bypassed if the host name in the given URL first
uses IDN characters that get replaced to ASCII counterparts as part of the IDN
conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP)
instead of the common ASCII full stop (U+002E) `.`. Then in
HackerOne
CVE-2022-43551: Another HSTS bypass via IDN
hackerone·2022-12-21·CVSS 7.5
CVE-2022-43551 [HIGH] CVE-2022-43551: Another HSTS bypass via IDN
CVE-2022-43551: Another HSTS bypass via IDN
## Summary:
I found an issue similar to CVE-2022-42916 again.
Since the phenomenon is the same, I will describe the same as last time.
HSTS checks are bypassed if any character in the IDN convert(Nameprep) to a '.'
for example"。"(UTF-8:E38082).
I think there are other characters that become ".(UTF-8:2E)" as a result of converting with IDN.
This is because the host name before IDN conversion is used when writing to the HSTS cache.
## Steps To Reproduce:
[add details for how we can reproduce the issue]
1. Start from a state where there is no entry for the access destination host name in the HSTS cache
2. `curl -v --hsts hsts.txt https://accounts.google%E3%80%82com`
3. `curl -v --hsts hsts.txt http://accounts.google%E3%80%82com`
Result of 3.
`
https://hackerone.com/reports/1755083https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20230427-0007/https://hackerone.com/reports/1755083https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/https://security.gentoo.org/glsa/202310-12https://security.netapp.com/advisory/ntap-20230427-0007/
2022-12-23
Published