Splunk Universal Forwarder vulnerabilities

CVE-2022-37439 [MEDIUM] CWE-409 CVE-2022-37439: In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially c In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts to restart the application would result in a crash and would require manually removing the malformed file.

CVE-2022-35737 [HIGH] CWE-129 CVE-2022-35737: SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

CVE-2022-32207 [CRITICAL] CWE-840 CVE-2022-32207: When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomi When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than inten

CVE-2022-32205 [MEDIUM] CWE-770 CVE-2022-32205: A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl a A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to av

CVE-2022-32206 [MEDIUM] CWE-770 CVE-2022-32206: curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be c curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a

CVE-2022-32208 [MEDIUM] CWE-840 CVE-2022-32208: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wron When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

CVE-2022-32156 [HIGH] CWE-295 CVE-2022-32156: In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure TLS host name validation for the Splunk CLI https://docs.splunk.com/Documentation/Splunk/9.0.0/Security

CVE-2022-27775 [HIGH] CWE-200 CVE-2022-27775: An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

CVE-2022-27782 [HIGH] CWE-840 CVE-2022-27782: libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been ch libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match che

CVE-2022-27780 [HIGH] CWE-177 CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host na The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flaw

CVE-2022-27778 [HIGH] CWE-706 CVE-2022-27778: A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `- A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`.

CVE-2022-27781 [HIGH] CWE-400 CVE-2022-27781: libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returne libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

CVE-2022-27779 [MEDIUM] CWE-201 CVE-2022-27779: libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided wi libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast preven

CVE-2022-27774 [MEDIUM] CWE-522 CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

CVE-2022-27776 [MEDIUM] CWE-522 CVE-2022-27776: A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authenticati A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

CVE-2022-30115 [MEDIUM] CWE-325 CVE-2022-30115: Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure cle Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the

CVE-2022-22576 [HIGH] CWE-287 CVE-2022-22576: An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might a An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only

CVE-2021-22946 [HIGH] CWE-325 CVE-2021-22946: A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate re

CVE-2021-22947 [MEDIUM] CWE-310 CVE-2021-22947: When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *b

CVE-2021-22945 [CRITICAL] CWE-415 CVE-2021-22945: When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances errone When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.