CVE-2022-32205 - Vulnerability Details

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02588.

Exploitation poc

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

https://github.com/curl/curl

affected

Version	Status	Constraints
`Fixed in 7.84.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:element_software:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

Configuration 9 [-]

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:siemens:scalance_sc622-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc622-2c:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:siemens:scalance_sc626-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc626-2c:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:siemens:scalance_sc632-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc632-2c:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:siemens:scalance_sc636-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc636-2c:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:siemens:scalance_sc642-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc642-2c:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:siemens:scalance_sc646-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc646-2c:-:*:*:*:*:*:*:*

Configuration 16 [-]

OR	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

No data.

Project Subscriptions

Vendors	Products
Apple Subscribe	Macos Subscribe
Debian Subscribe	Debian Linux Subscribe
Fedoraproject Subscribe	Fedora Subscribe
Haxx Subscribe	Curl Subscribe
Netapp Subscribe	Clustered Data Ontap Subscribe Element Software Subscribe H300s Subscribe H300s Firmware Subscribe H410s Subscribe H410s Firmware Subscribe H500s Subscribe H500s Firmware Subscribe H700s Subscribe H700s Firmware Subscribe Hci Management Node Subscribe Solidfire Subscribe
Siemens Subscribe	Scalance Sc622-2c Subscribe Scalance Sc622-2c Firmware Subscribe Scalance Sc626-2c Subscribe Scalance Sc626-2c Firmware Subscribe Scalance Sc632-2c Subscribe Scalance Sc632-2c Firmware Subscribe Scalance Sc636-2c Subscribe Scalance Sc636-2c Firmware Subscribe Scalance Sc642-2c Subscribe Scalance Sc642-2c Firmware Subscribe Scalance Sc646-2c Subscribe Scalance Sc646-2c Firmware Subscribe
Splunk Subscribe	Universal Forwarder Subscribe

Advisories

Source	ID	Title
Debian DSA	DSA-5197-1	curl security update
Ubuntu USN	USN-5495-1	curl vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
https://curl.se/docs/CVE-2022-32205.html
https://hackerone.com/reports/1569946
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://nvd.nist.gov/vuln/detail/CVE-2022-32205
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220915-0003/
https://support.apple.com/kb/HT213488
https://www.cve.org/CVERecord?id=CVE-2022-32205
https://www.debian.org/security/2022/dsa-5197

History

Mon, 05 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-07-07T00:00:00.000Z

Updated: 2025-05-05T16:17:03.151Z

Reserved: 2022-06-01T00:00:00.000Z

Link: CVE-2022-32205

Vulnrichment

Updated: 2024-08-03T07:32:56.071Z

NVD

Status : Modified

Published: 2022-07-07T13:15:08.277

Modified: 2025-05-05T17:18:12.680

Link: CVE-2022-32205

Redhat

Severity : Low

Publid Date: 2022-06-27T00:00:00Z

Links: CVE-2022-32205 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-770

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object