CVE-2022-42916

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://curl.se/docs/CVE-2022-42916.html	Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20221209-0010/	Broken Link
https://security.gentoo.org/glsa/202212-01	Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/12/21/1	Third Party Advisory
https://support.apple.com/kb/HT213604	Third Party Advisory
https://support.apple.com/kb/HT213605	Third Party Advisory
http://seclists.org/fulldisclosure/2023/Jan/19	Third Party Advisory
http://seclists.org/fulldisclosure/2023/Jan/20	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*
	cpe:2.3:o:fedoraproject:fedora:37:::::::*

Configuration 3 (hide)

OR	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

Information

Published : 2022-10-28 19:15

Updated : 2023-02-10 08:04

NVD link : CVE-2022-42916

Mitre link : CVE-2022-42916

JSON object : View

CWE

CWE-319

Cleartext Transmission of Sensitive Information

Products Affected

fedoraproject

fedora

apple

macos

haxx

curl

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://curl.se/docs/CVE-2022-42916.html", "name": "https://curl.se/docs/CVE-2022-42916.html", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/", "name": "FEDORA-2022-01ffde372c", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/", "name": "FEDORA-2022-39688a779d", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/", "name": "FEDORA-2022-e9d65906c4", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "FEDORA"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0010/", "name": "https://security.netapp.com/advisory/ntap-20221209-0010/", "tags": ["Broken Link"], "refsource": "CONFIRM"}, {"url": "https://security.gentoo.org/glsa/202212-01", "name": "GLSA-202212-01", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}, {"url": "http://www.openwall.com/lists/oss-security/2022/12/21/1", "name": "[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN", "tags": ["Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://support.apple.com/kb/HT213604", "name": "https://support.apple.com/kb/HT213604", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://support.apple.com/kb/HT213605", "name": "https://support.apple.com/kb/HT213605", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2023/Jan/19", "name": "20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2", "tags": ["Third Party Advisory"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2023/Jan/20", "name": "20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3", "tags": ["Third Party Advisory"], "refsource": "FULLDISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-319"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-42916", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}}, "publishedDate": "2022-10-29T02:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.86.0", "versionStartIncluding": "7.77.0"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "13.3", "versionStartIncluding": "13.0"}, {"cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "12.6.3"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-10T16:04Z"}

7.5 /10