{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-42916", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T13:19:05.420Z", "dateReserved": "2022-10-13T00:00:00", "datePublished": "2022-10-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-24T00:00:00"}, "descriptions": [{"lang": "en", "value": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://curl.se/docs/CVE-2022-42916.html"}, {"name": "FEDORA-2022-01ffde372c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/"}, {"name": "FEDORA-2022-39688a779d", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/"}, {"name": "FEDORA-2022-e9d65906c4", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0010/"}, {"name": "GLSA-202212-01", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202212-01"}, {"name": "[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/12/21/1"}, {"url": "https://support.apple.com/kb/HT213604"}, {"url": "https://support.apple.com/kb/HT213605"}, {"name": "20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Jan/20"}, {"name": "20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Jan/19"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:19:05.420Z"}, "title": "CVE Program Container", "references": [{"url": "https://curl.se/docs/CVE-2022-42916.html", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-01ffde372c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/"}, {"name": "FEDORA-2022-39688a779d", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/"}, {"name": "FEDORA-2022-e9d65906c4", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/"}, {"url": "https://security.netapp.com/advisory/ntap-20221209-0010/", "tags": ["x_transferred"]}, {"name": "GLSA-202212-01", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202212-01"}, {"name": "[oss-security] 20221221 curl: CVE-2022-43551: Another HSTS bypass via IDN", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/12/21/1"}, {"url": "https://support.apple.com/kb/HT213604", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213605", "tags": ["x_transferred"]}, {"name": "20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2023/Jan/20"}, {"name": "20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2023/Jan/19"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "matchCriteriaId": "78BC634D-BD5D-47EA-BDE1-615E599A1DE5", "versionEndExcluding": "7.86.0", "versionStartIncluding": "7.77.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4459FCD-53C3-4BD1-9744-4B340113434D", "versionEndExcluding": "12.6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CEC72CB-1F5B-4BF5-80F0-357E27855D2A", "versionEndExcluding": "13.2", "versionStartIncluding": "13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "5722E753-75DE-4944-A11B-556CB299B57D", "versionEndExcluding": "8.2.12", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC0F9351-81A4-4FEA-B6B5-6E960A933D32", "versionEndExcluding": "9.0.6", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EED24E67-2957-4C1B-8FEA-E2D2FE7B97FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26."}, {"lang": "es", "value": "En curl anterior a 7.86.0, se pod\u00eda omitir la verificaci\u00f3n HSTS para enga\u00f1arlo y que se quedara con HTTP. Usando su soporte HSTS, se puede indicar a curl que use HTTPS directamente (en lugar de usar un paso HTTP de texto limpio inseguro) incluso cuando se proporciona HTTP en la URL. Este mecanismo podr\u00eda omitirse si el nombre de anfitri\u00f3n en la URL dada usa caracteres IDN que se reemplazan con sus hom\u00f3logos ASCII como parte de la conversi\u00f3n de IDN, por ejemplo, usando el car\u00e1cter UTF-8 U+3002 (DEOGRAPHIC FULL STOP) en lugar del ASCII com\u00fan. punto final de U+002E (.). La primera versi\u00f3n afectada es la 7.77.0 2021-05-26."}], "id": "CVE-2022-42916", "lastModified": "2024-03-27T14:59:02.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-29T02:15:09.047", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Jan/19"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Jan/20"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/12/21/1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2022-42916.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202212-01"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://security.netapp.com/advisory/ntap-20221209-0010/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213604"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213605"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8840", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:7.86.0-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8840", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:7.86.0-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2022-12-08T00:00:00Z"}, {"advisory": "RHSA-2022:8841", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "curl", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2022-12-08T00:00:00Z"}], "bugzilla": {"description": "curl: HSTS bypass via IDN", "id": "2135416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135416"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-319", "details": ["In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.", "A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`."], "name": "CVE-2022-42916", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-10-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-42916\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-42916\nhttps://curl.se/docs/CVE-2022-42916.html"], "threat_severity": "Moderate", "upstream_fix": "curl 7.86.0"}