CVE-2022-27780

Updated: 2023-11-04 20:44:39.487431

Description:

The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS curl 7.19.7 7.5 HIGH Not Vulnerable 2022-06-26 14:37:44
CentOS 8.4 ELS curl 7.61.1 7.5 HIGH Released CLSA-2022:1656430138 2022-06-28 11:50:08
CentOS 8.5 ELS curl 7.61.1 7.5 HIGH Released CLSA-2022:1656430292 2022-06-28 11:50:08
CloudLinux 6 ELS curl 7.19.7 7.5 HIGH Not Vulnerable 2022-06-26 14:37:44
Oracle Linux 6 ELS curl 7.19.7 7.5 HIGH Not Vulnerable 2022-06-26 14:37:44
Ubuntu 16.04 ELS curl 7.47.0 7.5 HIGH Not Vulnerable 2022-06-26 14:37:44