CVE-2022-32208 - OpenCVE

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Macos
Debian	Debian Linux
Fedoraproject	Fedora
Haxx	Curl
Netapp	Bootstrap Os Clustered Data Ontap Element Software H300s H300s Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Hci Compute Node Hci Management Node Solidfire
Redhat	Enterprise Linux Jboss Core Services
Splunk	Universal Forwarder

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:element_software:-:::::::*
	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 10 [-]

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Configuration 11 [-]

OR	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder::::::::
	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

Package	CPE	Advisory	Released Date
JBoss Core Services for RHEL 8
jbcs-httpd24-curl-0:7.86.0-2.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2022:8840	2022-12-08T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-curl-0:7.86.0-2.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2022:8840	2022-12-08T00:00:00Z
Red Hat Enterprise Linux 8
curl-0:7.61.1-22.el8_6.4	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:6159	2022-08-24T00:00:00Z
Red Hat Enterprise Linux 9
curl-0:7.76.1-14.el9_0.5	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:6157	2022-08-24T00:00:00Z
curl-0:7.76.1-14.el9_0.5	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:6157	2022-08-24T00:00:00Z
Red Hat JBoss Core Services 1
curl	cpe:/a:redhat:jboss_core_services:1	RHSA-2022:8841	2022-12-08T00:00:00Z

References

Link	Providers
http://seclists.org/fulldisclosure/2022/Oct/28
http://seclists.org/fulldisclosure/2022/Oct/41
https://curl.se/docs/CVE-2022-32208.html
https://hackerone.com/reports/1590071
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/
https://nvd.nist.gov/vuln/detail/CVE-2022-32208
https://security.gentoo.org/glsa/202212-01
https://security.netapp.com/advisory/ntap-20220915-0003/
https://support.apple.com/kb/HT213488
https://www.cve.org/CVERecord?id=CVE-2022-32208
https://www.debian.org/security/2022/dsa-5197

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-07-07T00:00:00

Updated: 2024-08-03T07:32:55.993Z

Reserved: 2022-06-01T00:00:00

Link: CVE-2022-32208

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-07-07T13:15:08.467

Modified: 2024-03-27T15:00:41.657

Link: CVE-2022-32208

Redhat

Severity : Moderate

Publid Date: 2022-06-27T00:00:00Z

Links: CVE-2022-32208 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object