First published: Wed Jun 01 2022(Updated: )
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Curl | >=7.82.0<7.83.1 | |
All of | ||
NetApp Bootstrap OS | ||
NetApp HCI Compute Node | ||
IBM Data ONTAP | ||
NetApp SolidFire Enterprise SDS | ||
NetApp SolidFire & HCI Management Node | ||
NetApp HCI Compute Node | ||
All of | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
All of | ||
NetApp H700S | ||
NetApp H700S | ||
All of | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
All of | ||
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
Splunk Universal Forwarder | =9.1.0 | |
NetApp Bootstrap OS | ||
NetApp HCI Compute Node | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
NetApp H700S | ||
NetApp H700S | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
NetApp H300S Firmware | ||
NetApp H300S Firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-27779 is a vulnerability in libcurl that allows cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot.
CVE-2022-27779 has a severity rating of 5.3 (medium).
The software affected by CVE-2022-27779 includes Haxx Curl version 7.82.0 to 7.83.1.
To fix CVE-2022-27779, upgrade to a version of Haxx Curl that is not vulnerable.
You can find more information about CVE-2022-27779 in the following references: [HackerOne](https://hackerone.com/reports/1553301), [Gentoo Security](https://security.gentoo.org/glsa/202212-01), [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220609-0009/)