jiachao2130/csaf2cusa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0b84f3c661
csaf2cusa/cusas/c/curl/curl-7.79.1-4_openEuler-SA-2022-1659.json
Jia Chao 0b84f3c661 增加测试用的配置和目录 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-02 15:51:55 +08:00

14 lines
2.4 KiB
JSON
Raw Blame History

{
"id": "openEuler-SA-2022-1659",
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1659",
"title": "An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
"severity": "Moderate",
"description": "cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nThis security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.(CVE-2022-22576)\n\nWhen asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This \"same host check\" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.(CVE-2022-27774)\n\nThis issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.(CVE-2022-27775)\n\nThis security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.(CVE-2022-27776)",
"cves": [
{
"id": "CVE-2022-27776",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27776",
"severity": "Low"
}
]
}
Reference in New Issue View Git Blame Copy Permalink