CVE-2022-27782 | Vulnerability Database | Aqua Security

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Affected Software

Name	Vendor	Start Version	End Version
Curl	Haxx	*	7.83.1 (excluding)
Red Hat Enterprise Linux 8	RedHat	curl-0:7.61.1-22.el8_6.3	*
Red Hat Enterprise Linux 9	RedHat	curl-0:7.76.1-14.el9_0.4	*
Red Hat Enterprise Linux 9	RedHat	curl-0:7.76.1-14.el9_0.4	*
Curl	Ubuntu	bionic	*
Curl	Ubuntu	devel	*
Curl	Ubuntu	esm-infra-legacy/trusty	*
Curl	Ubuntu	esm-infra/xenial	*
Curl	Ubuntu	focal	*
Curl	Ubuntu	impish	*
Curl	Ubuntu	jammy	*
Curl	Ubuntu	trusty/esm	*
Curl	Ubuntu	upstream	*

References

http://www.openwall.com/lists/oss-security/2023/03/20/6
https://hackerone.com/reports/1555796
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220609-0009/
https://www.debian.org/security/2022/dsa-5197
http://www.openwall.com/lists/oss-security/2023/03/20/6
https://hackerone.com/reports/1555796
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220609-0009/
https://www.debian.org/security/2022/dsa-5197

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-27782
CWE	https://cwe.mitre.org/data/definitions/840.html