CVE Vulnerabilities

CVE-2022-27782

Improper Certificate Validation

Published: Jun 02, 2022 | Modified: Mar 27, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Curl Haxx * 7.83.1 (excluding)
Curl Ubuntu bionic *
Curl Ubuntu devel *
Curl Ubuntu esm-infra/bionic *
Curl Ubuntu esm-infra/xenial *
Curl Ubuntu focal *
Curl Ubuntu impish *
Curl Ubuntu jammy *
Curl Ubuntu trusty/esm *
Curl Ubuntu upstream *
Red Hat Enterprise Linux 8 RedHat curl-0:7.61.1-22.el8_6.3 *
Red Hat Enterprise Linux 9 RedHat curl-0:7.76.1-14.el9_0.4 *
Red Hat Enterprise Linux 9 RedHat curl-0:7.76.1-14.el9_0.4 *

Potential Mitigations

References