libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2024-08-03T05:33:00.476Z

Reserved: 2022-03-23T00:00:00

Link: CVE-2022-27779

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-06-02T14:15:44.093

Modified: 2024-11-21T06:56:10.303

Link: CVE-2022-27779

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-05-11T00:00:00Z

Links: CVE-2022-27779 - Bugzilla

cve-icon OpenCVE Enrichment

No data.